Use a sanitize filter to correct a security issue (closes #283)

2 files changed, 6 insertions, 3 deletions

diff --git a/chimere/templates/detail.html b/chimere/templates/detail.html
index d7084db..baa13b4 100644
--- a/chimere/templates/detail.html
+++ b/chimere/templates/detail.html
@@ -1,4 +1,5 @@
 {% load i18n %}
+{% load sanitize %}
 <h2>{{ marker.name }}</h2>
 <div id='detail_content'>
 {% if marker.picture %}<img src='{{media_path}}{{marker.picture}}' alt='{{marker.name}}'/>{%endif%}
@@ -8,8 +9,9 @@
 {% if marker.end_date %} - {{marker.end_date|date:"D d M Y"}}</p>{% endif %}</span>
 {% endif %}
 {% for property in marker.getProperties %}
-<p id='{{property.propertymodel.getNamedId}}'>{{ property.value|safe }}</p>
-{% endfor %}</div>{% if share_networks %}
+<p id='{{property.propertymodel.getNamedId}}'>{{ property.value|sanitize:"p b a:href ul li ol h1 h2 h3 h4"|safe}}</p>
+{% endfor %}
+</div>{% if share_networks %}
 {% if simple %}{% trans "Share on"%}{% for share_network in share_networks %}
 <a href='{{share_network.1}}'>{{share_network.0}}</a>
 {% endfor %}{%else%}
diff --git a/chimere/templates/welcome.html b/chimere/templates/welcome.html
index 8206c18..d568851 100644
--- a/chimere/templates/welcome.html
+++ b/chimere/templates/welcome.html
@@ -1,4 +1,5 @@
 {% load i18n %}
+{% load sanitize %}
 <div id='welcome' {% if not display %}style='display:None'{%endif%}>
 <h2>{% trans "Welcome to Chimère"%}</h2>
 <div id='detail_content'>
@@ -12,7 +13,7 @@
    {% else %}
    <h3>{{news.name}} &ndash; {{ news.start_date }}{% if news.end_date %} - {{ news.end_date }}{% endif %}</h3>
    {% for property in news.getProperties %}
-   <p id='{{news.propertymodel.getNamedId}}'>{{ property.value|safe }}</p>
+   <p id='{{news.propertymodel.getNamedId}}'>{{ property.value|sanitize:"p b a:href ul li ol h1 h2 h3 h4"|safe }}</p>
    {% endfor %}
    <p class='marker_link'><a href='{{ news.get_absolute_url }}'>{% trans "See it on the map"%}</a></p>
    {% endif %}