diff options
Diffstat (limited to 'chimere/main')
| -rw-r--r-- | chimere/main/templatetags/__init__.py | 1 | ||||
| -rw-r--r-- | chimere/main/templatetags/sanitize.py | 31 | ||||
| -rw-r--r-- | chimere/main/views.py | 2 |
3 files changed, 33 insertions, 1 deletions
diff --git a/chimere/main/templatetags/__init__.py b/chimere/main/templatetags/__init__.py new file mode 100644 index 0000000..792d600 --- /dev/null +++ b/chimere/main/templatetags/__init__.py @@ -0,0 +1 @@ +# diff --git a/chimere/main/templatetags/sanitize.py b/chimere/main/templatetags/sanitize.py new file mode 100644 index 0000000..ccb936c --- /dev/null +++ b/chimere/main/templatetags/sanitize.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +from django import template +from BeautifulSoup import BeautifulSoup, Comment +import re + +register = template.Library() + +def sanitize(value, allowed_tags): + """Argument should be in form 'tag2:attr1:attr2 tag2:attr1 tag3', where tags + are allowed HTML tags, and attrs are the allowed attributes for that tag. + """ + js_regex = re.compile(r'[\s]*(&#x.{1,7})?'.join(list('javascript'))) + allowed_tags = [tag.split(':') for tag in allowed_tags.split()] + allowed_tags = dict((tag[0], tag[1:]) for tag in allowed_tags) + + soup = BeautifulSoup(value) + for comment in soup.findAll(text=lambda text: isinstance(text, Comment)): + comment.extract() + + for tag in soup.findAll(True): + if tag.name not in allowed_tags: + tag.hidden = True + else: + tag.attrs = [(attr, js_regex.sub('', val)) for attr, val in tag.attrs + if attr in allowed_tags[tag.name]] + return soup.renderContents().decode('utf8') + +register.filter(sanitize) + diff --git a/chimere/main/views.py b/chimere/main/views.py index d8e9719..5d13dcb 100644 --- a/chimere/main/views.py +++ b/chimere/main/views.py @@ -243,7 +243,7 @@ def getDetail(request, area_name, marker_id): Get the detail for a marker ''' try: - marker = Marker.objects.filter(id=int(marker_id), status='A')[0] + marker = Marker.objects.filter(id=int(marker_id), status__in=['A', 'S'])[0] except (ValueError, IndexError): return HttpResponse('no results') response_dct = get_base_response() |