Sanitize HTML input

This commit is contained in:
Tanner Collin 2020-01-15 07:07:12 +00:00
parent 83ab4dffbe
commit 200df3fdc8
2 changed files with 31 additions and 3 deletions

View File

@ -7,6 +7,7 @@ from rest_auth.registration.serializers import RegisterSerializer
from rest_auth.serializers import UserDetailsSerializer
from uuid import uuid4
from PIL import Image
from bleach.sanitizer import Cleaner
from . import models, old_models
@ -44,12 +45,37 @@ def process_image(upload):
return small, medium, large
ALLOWED_TAGS = [
'h3',
'p',
'br',
'strong',
'em',
'u',
'code',
'ol',
'li',
'ul',
'a',
]
clean = Cleaner(tags=ALLOWED_TAGS).clean
class UserEmailField(serializers.ModelField):
def to_representation(self, obj):
return getattr(obj.user, 'email', obj.old_email)
def to_internal_value(self, data):
return serializers.EmailField().run_validation(data)
class HTMLField(serializers.CharField):
def to_internal_value(self, data):
data = clean(data)
return super().to_internal_value(data)
@ -221,14 +247,13 @@ class SessionListSerializer(SessionSerializer):
class CourseSerializer(serializers.ModelSerializer):
name = serializers.CharField()
description = serializers.CharField(write_only=True)
class Meta:
model = models.Course
fields = ['id', 'name', 'description']
fields = ['id', 'name']
class CourseDetailSerializer(serializers.ModelSerializer):
sessions = SessionListSerializer(many=True, read_only=True)
description = HTMLField()
class Meta:
model = models.Course
fields = '__all__'

View File

@ -1,5 +1,6 @@
argon2-cffi==19.2.0
asgiref==3.2.3
bleach==3.1.0
certifi==2019.11.28
cffi==1.13.2
chardet==3.0.4
@ -11,6 +12,7 @@ djangorestframework==3.11.0
fuzzywuzzy==0.17.0
idna==2.8
oauthlib==3.1.0
Pillow==7.0.0
pkg-resources==0.0.0
pycparser==2.19
python-Levenshtein==0.12.0
@ -21,3 +23,4 @@ requests-oauthlib==1.3.0
six==1.13.0
sqlparse==0.3.0
urllib3==1.25.7
webencodings==0.5.1