Add html sanitization.

Probably the html sent by your instance is already sanitized, but I haven't
checked the Mastodon source to be sure.
This commit is contained in:
Jason McBrayer 2018-04-26 20:36:48 -04:00
parent e773511726
commit bf3af37003
3 changed files with 11 additions and 1 deletions

View File

@ -38,6 +38,7 @@ INSTALLED_APPS = [
'django.contrib.messages',
'django.contrib.staticfiles',
'widget_tweaks',
'sanitizer',
'django.contrib.humanize',
'brutaldon',
]
@ -122,3 +123,7 @@ USE_TZ = True
STATIC_URL = '/static/'
STATIC_ROOT = os.path.join(BASE_DIR, 'static')
# Sanitizer settings
SANITIZER_ALLOWED_TAGS = ['a', 'p', 'img', 'br', 'i', 'strong']
SANITIZER_ALLOWED_ATTRIBUTES = ['href', 'src']

View File

@ -1,4 +1,5 @@
{% load humanize %}
{% load sanitizer %}
<article class="media">
<figure class="media-left">
@ -31,7 +32,7 @@
</p>
{% endif %}
<div class="toot">
{{ toot.content | safe }}
{{ toot.content | strip_html | safe }}
</div>
{% if toot.media_attachments %}

View File

@ -1,8 +1,11 @@
bleach==2.1.3
certifi==2017.11.5
chardet==3.0.4
decorator==4.1.2
Django==2.0.4
django-html-sanitizer==0.1.5
django-widget-tweaks==1.4.2
html5lib==1.0.1
idna==2.6
Mastodon.py==1.2.1
python-dateutil==2.6.1
@ -10,3 +13,4 @@ pytz==2017.3
requests==2.18.4
six==1.11.0
urllib3==1.22
webencodings==0.5.1