Use a sanitize filter to correct a security issue (closes #283)

5 files changed, 39 insertions, 4 deletions

diff --git a/chimere/main/templatetags/__init__.py b/chimere/main/templatetags/__init__.py
new file mode 100644
index 0000000..792d600
--- /dev/null
+++ b/chimere/main/templatetags/__init__.py
@@ -0,0 +1 @@
+#
diff --git a/chimere/main/templatetags/sanitize.py b/chimere/main/templatetags/sanitize.py
new file mode 100644
index 0000000..ccb936c
--- /dev/null
+++ b/chimere/main/templatetags/sanitize.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from django import template
+from BeautifulSoup import BeautifulSoup, Comment
+import re
+
+register = template.Library()
+
+def sanitize(value, allowed_tags):
+    """Argument should be in form 'tag2:attr1:attr2 tag2:attr1 tag3', where tags
+    are allowed HTML tags, and attrs are the allowed attributes for that tag.
+    """
+    js_regex = re.compile(r'[\s]*(&#x.{1,7})?'.join(list('javascript')))
+    allowed_tags = [tag.split(':') for tag in allowed_tags.split()]
+    allowed_tags = dict((tag[0], tag[1:]) for tag in allowed_tags)
+
+    soup = BeautifulSoup(value)
+    for comment in soup.findAll(text=lambda text: isinstance(text, Comment)):
+        comment.extract()
+
+    for tag in soup.findAll(True):
+        if tag.name not in allowed_tags:
+            tag.hidden = True
+        else:
+            tag.attrs = [(attr, js_regex.sub('', val)) for attr, val in tag.attrs
+                         if attr in allowed_tags[tag.name]]
+    return soup.renderContents().decode('utf8')
+
+register.filter(sanitize)
+
diff --git a/chimere/main/views.py b/chimere/main/views.py
index d8e9719..5d13dcb 100644
--- a/chimere/main/views.py
+++ b/chimere/main/views.py
@@ -243,7 +243,7 @@ def getDetail(request, area_name, marker_id):
     Get the detail for a marker
     '''
     try:
-        marker = Marker.objects.filter(id=int(marker_id), status='A')[0]
+        marker = Marker.objects.filter(id=int(marker_id), status__in=['A', 'S'])[0]
     except (ValueError, IndexError):
         return HttpResponse('no results')
     response_dct = get_base_response()
diff --git a/chimere/templates/detail.html b/chimere/templates/detail.html
index d7084db..baa13b4 100644
--- a/chimere/templates/detail.html
+++ b/chimere/templates/detail.html
@@ -1,4 +1,5 @@
 {% load i18n %}
+{% load sanitize %}
 <h2>{{ marker.name }}</h2>
 <div id='detail_content'>
 {% if marker.picture %}<img src='{{media_path}}{{marker.picture}}' alt='{{marker.name}}'/>{%endif%}
@@ -8,8 +9,9 @@
 {% if marker.end_date %} - {{marker.end_date|date:"D d M Y"}}</p>{% endif %}</span>
 {% endif %}
 {% for property in marker.getProperties %}
-<p id='{{property.propertymodel.getNamedId}}'>{{ property.value|safe }}</p>
-{% endfor %}</div>{% if share_networks %}
+<p id='{{property.propertymodel.getNamedId}}'>{{ property.value|sanitize:"p b a:href ul li ol h1 h2 h3 h4"|safe}}</p>
+{% endfor %}
+</div>{% if share_networks %}
 {% if simple %}{% trans "Share on"%}{% for share_network in share_networks %}
 <a href='{{share_network.1}}'>{{share_network.0}}</a>
 {% endfor %}{%else%}
diff --git a/chimere/templates/welcome.html b/chimere/templates/welcome.html
index 8206c18..d568851 100644
--- a/chimere/templates/welcome.html
+++ b/chimere/templates/welcome.html
@@ -1,4 +1,5 @@
 {% load i18n %}
+{% load sanitize %}
 <div id='welcome' {% if not display %}style='display:None'{%endif%}>
 <h2>{% trans "Welcome to Chimère"%}</h2>
 <div id='detail_content'>
@@ -12,7 +13,7 @@
    {% else %}
    <h3>{{news.name}} &ndash; {{ news.start_date }}{% if news.end_date %} - {{ news.end_date }}{% endif %}</h3>
    {% for property in news.getProperties %}
-   <p id='{{news.propertymodel.getNamedId}}'>{{ property.value|safe }}</p>
+   <p id='{{news.propertymodel.getNamedId}}'>{{ property.value|sanitize:"p b a:href ul li ol h1 h2 h3 h4"|safe }}</p>
    {% endfor %}
    <p class='marker_link'><a href='{{ news.get_absolute_url }}'>{% trans "See it on the map"%}</a></p>
    {% endif %}