Add html sanitization.

Probably the html sent by your instance is already sanitized, but I haven't
checked the Mastodon source to be sure.

brutaldon/settings.py

@@ -38,6 +38,7 @@ INSTALLED_APPS = [
     'django.contrib.messages',
     'django.contrib.staticfiles',
     'widget_tweaks',
+    'sanitizer',
     'django.contrib.humanize',
     'brutaldon',
 ]
@@ -122,3 +123,7 @@ USE_TZ = True
 
 STATIC_URL = '/static/'
 STATIC_ROOT = os.path.join(BASE_DIR, 'static')
+
+# Sanitizer settings
+SANITIZER_ALLOWED_TAGS = ['a', 'p', 'img', 'br', 'i', 'strong']
+SANITIZER_ALLOWED_ATTRIBUTES = ['href', 'src']

brutaldon/templates/main/toot_partial.html

@@ -1,4 +1,5 @@
 {% load humanize %}
+{% load sanitizer %}
 
 <article class="media">
     <figure class="media-left">
@@ -31,7 +32,7 @@
                 </p>
             {% endif %}
             <div class="toot">
-                {{ toot.content | safe }}
+                {{ toot.content | strip_html | safe }}
             </div>
 
             {% if toot.media_attachments %}

requirements.txt

@@ -1,8 +1,11 @@
+bleach==2.1.3
 certifi==2017.11.5
 chardet==3.0.4
 decorator==4.1.2
 Django==2.0.4
+django-html-sanitizer==0.1.5
 django-widget-tweaks==1.4.2
+html5lib==1.0.1
 idna==2.6
 Mastodon.py==1.2.1
 python-dateutil==2.6.1
@@ -10,3 +13,4 @@ pytz==2017.3
 requests==2.18.4
 six==1.11.0
 urllib3==1.22
+webencodings==0.5.1