tanner
/
spaceport
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Sanitize HTML input

Browse Source
master
Tanner Collin 4 years ago
parent 83ab4dffbe
commit 200df3fdc8
2 changed files with 31 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 31
      apiserver/apiserver/api/serializers.py
  2. 3
      apiserver/requirements.txt

31
apiserver/apiserver/api/serializers.py
Unescape View File

@ -7,6 +7,7 @@ from rest_auth.registration.serializers import RegisterSerializer
from rest_auth.serializers import UserDetailsSerializer from rest_auth.serializers import UserDetailsSerializer
from uuid import uuid4 from uuid import uuid4
from PIL import Image from PIL import Image
from bleach.sanitizer import Cleaner
from . import models, old_models from . import models, old_models
@ -44,12 +45,37 @@ def process_image(upload):
return small, medium, large return small, medium, large
ALLOWED_TAGS = [
'h3',
'p',
'br',
'strong',
'em',
'u',
'code',
'ol',
'li',
'ul',
'a',
]
clean = Cleaner(tags=ALLOWED_TAGS).clean
class UserEmailField(serializers.ModelField): class UserEmailField(serializers.ModelField):
def to_representation(self, obj): def to_representation(self, obj):
return getattr(obj.user, 'email', obj.old_email) return getattr(obj.user, 'email', obj.old_email)
def to_internal_value(self, data): def to_internal_value(self, data):
return serializers.EmailField().run_validation(data) return serializers.EmailField().run_validation(data)
class HTMLField(serializers.CharField):
def to_internal_value(self, data):
data = clean(data)
return super().to_internal_value(data)
@ -221,14 +247,13 @@ class SessionListSerializer(SessionSerializer):
class CourseSerializer(serializers.ModelSerializer): class CourseSerializer(serializers.ModelSerializer):
name = serializers.CharField() name = serializers.CharField()
description = serializers.CharField(write_only=True)
class Meta: class Meta:
model = models.Course model = models.Course
fields = ['id', 'name', 'description'] fields = ['id', 'name']
class CourseDetailSerializer(serializers.ModelSerializer): class CourseDetailSerializer(serializers.ModelSerializer):
sessions = SessionListSerializer(many=True, read_only=True) sessions = SessionListSerializer(many=True, read_only=True)
description = HTMLField()
class Meta: class Meta:
model = models.Course model = models.Course
fields = '__all__' fields = '__all__'

3
apiserver/requirements.txt
Unescape View File

@ -1,5 +1,6 @@
argon2-cffi==19.2.0 argon2-cffi==19.2.0
asgiref==3.2.3 asgiref==3.2.3
bleach==3.1.0
certifi==2019.11.28 certifi==2019.11.28
cffi==1.13.2 cffi==1.13.2
chardet==3.0.4 chardet==3.0.4
@ -11,6 +12,7 @@ djangorestframework==3.11.0
fuzzywuzzy==0.17.0 fuzzywuzzy==0.17.0
idna==2.8 idna==2.8
oauthlib==3.1.0 oauthlib==3.1.0
Pillow==7.0.0
pkg-resources==0.0.0 pkg-resources==0.0.0
pycparser==2.19 pycparser==2.19
python-Levenshtein==0.12.0 python-Levenshtein==0.12.0
@ -21,3 +23,4 @@ requests-oauthlib==1.3.0
six==1.13.0 six==1.13.0
sqlparse==0.3.0 sqlparse==0.3.0
urllib3==1.25.7 urllib3==1.25.7
webencodings==0.5.1

Write Preview
Loading…
Cancel
Save