From 9938ec566e87fe66cd8e91576fefbfbcadddd9c3 Mon Sep 17 00:00:00 2001 From: Étienne Loks Date: Sat, 27 Nov 2010 19:09:37 +0100 Subject: Use a sanitize filter to correct a security issue (closes #283) --- chimere/main/templatetags/__init__.py | 1 + chimere/main/templatetags/sanitize.py | 31 +++++++++++++++++++++++++++++++ chimere/main/views.py | 2 +- chimere/templates/detail.html | 6 ++++-- chimere/templates/welcome.html | 3 ++- 5 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 chimere/main/templatetags/__init__.py create mode 100644 chimere/main/templatetags/sanitize.py diff --git a/chimere/main/templatetags/__init__.py b/chimere/main/templatetags/__init__.py new file mode 100644 index 0000000..792d600 --- /dev/null +++ b/chimere/main/templatetags/__init__.py @@ -0,0 +1 @@ +# diff --git a/chimere/main/templatetags/sanitize.py b/chimere/main/templatetags/sanitize.py new file mode 100644 index 0000000..ccb936c --- /dev/null +++ b/chimere/main/templatetags/sanitize.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +from django import template +from BeautifulSoup import BeautifulSoup, Comment +import re + +register = template.Library() + +def sanitize(value, allowed_tags): + """Argument should be in form 'tag2:attr1:attr2 tag2:attr1 tag3', where tags + are allowed HTML tags, and attrs are the allowed attributes for that tag. + """ + js_regex = re.compile(r'[\s]*(&#x.{1,7})?'.join(list('javascript'))) + allowed_tags = [tag.split(':') for tag in allowed_tags.split()] + allowed_tags = dict((tag[0], tag[1:]) for tag in allowed_tags) + + soup = BeautifulSoup(value) + for comment in soup.findAll(text=lambda text: isinstance(text, Comment)): + comment.extract() + + for tag in soup.findAll(True): + if tag.name not in allowed_tags: + tag.hidden = True + else: + tag.attrs = [(attr, js_regex.sub('', val)) for attr, val in tag.attrs + if attr in allowed_tags[tag.name]] + return soup.renderContents().decode('utf8') + +register.filter(sanitize) + diff --git a/chimere/main/views.py b/chimere/main/views.py index d8e9719..5d13dcb 100644 --- a/chimere/main/views.py +++ b/chimere/main/views.py @@ -243,7 +243,7 @@ def getDetail(request, area_name, marker_id): Get the detail for a marker ''' try: - marker = Marker.objects.filter(id=int(marker_id), status='A')[0] + marker = Marker.objects.filter(id=int(marker_id), status__in=['A', 'S'])[0] except (ValueError, IndexError): return HttpResponse('no results') response_dct = get_base_response() diff --git a/chimere/templates/detail.html b/chimere/templates/detail.html index d7084db..baa13b4 100644 --- a/chimere/templates/detail.html +++ b/chimere/templates/detail.html @@ -1,4 +1,5 @@ {% load i18n %} +{% load sanitize %}

{{ marker.name }}

{% if marker.picture %}{{marker.name}}{%endif%} @@ -8,8 +9,9 @@ {% if marker.end_date %} - {{marker.end_date|date:"D d M Y"}}

{% endif %} {% endif %} {% for property in marker.getProperties %} -

{{ property.value|safe }}

-{% endfor %}
{% if share_networks %} +

{{ property.value|sanitize:"p b a:href ul li ol h1 h2 h3 h4"|safe}}

+{% endfor %} +{% if share_networks %} {% if simple %}{% trans "Share on"%}{% for share_network in share_networks %} {{share_network.0}} {% endfor %}{%else%} diff --git a/chimere/templates/welcome.html b/chimere/templates/welcome.html index 8206c18..d568851 100644 --- a/chimere/templates/welcome.html +++ b/chimere/templates/welcome.html @@ -1,4 +1,5 @@ {% load i18n %} +{% load sanitize %}

{% trans "Welcome to Chimère"%}

@@ -12,7 +13,7 @@ {% else %}

{{news.name}} – {{ news.start_date }}{% if news.end_date %} - {{ news.end_date }}{% endif %}

{% for property in news.getProperties %} -

{{ property.value|safe }}

+

{{ property.value|sanitize:"p b a:href ul li ol h1 h2 h3 h4"|safe }}

{% endfor %}

{% trans "See it on the map"%}

{% endif %} -- cgit v1.2.3