taiga
/
taiga-back
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #148 from taigaio/issue/1500/wiki-html-escape 

Fix issue #1500: Now generated html is escaped
remotes/origin/enhancement/email-actions
David Barragán Merino 2014-10-31 13:47:19 +01:00
parent f22da3d5aa c83ffa8529
commit 5d5d57ac8c
4 changed files with 37 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
requirements.txt
View File

@ -25,6 +25,7 @@ celery==3.1.12
redis==2.10.3
Unidecode==0.04.16
raven==5.1.1
bleach==1.4
# Comment it if you are using python >= 3.4
enum34==1.0

30
taiga/mdrender/service.py
View File

@ -16,6 +16,23 @@
import hashlib
import functools
import bleach
# BEGIN PATCH
import html5lib
from html5lib.serializer.htmlserializer import HTMLSerializer
def _serialize(domtree):
walker = html5lib.treewalkers.getTreeWalker('etree')
stream = walker(domtree)
serializer = HTMLSerializer(quote_attr_values=True,
omit_optional_tags=False,
alphabetical_attributes=True)
return serializer.render(stream)
bleach._serialize = _serialize
### END PATCH
from django.core.cache import cache
from django.utils.encoding import force_bytes
@ -34,6 +51,15 @@ from .extensions.mentions import MentionsExtension
from .extensions.references import TaigaReferencesExtension
ALLOWED_TAGS = bleach.ALLOWED_TAGS + ["p", "table", "th", "tr", "td", "h1",
"h2", "h3", "div", "pre", "span", "hr", "dl", "dt", "dd", "sup",
"img", "del"]
ALLOWED_ATTRS = bleach.ALLOWED_ATTRIBUTES
ALLOWED_ATTRS["a"] = ["href", "title", "alt"]
ALLOWED_ATTRS["img"] = ["alt", "src"]
ALLOWED_ATTRS["*"] = ["class"]
def _make_extensions_list(wikilinks_config=None, project=None):
return [AutolinkExtension(),
AutomailExtension(),
@ -86,12 +112,12 @@ def _get_markdown(project):
@cache_by_sha
def render(project, text):
md = _get_markdown(project)
return md.convert(text)
return bleach.clean(md.convert(text), tags=ALLOWED_TAGS)
def render_and_extract(project, text):
md = _get_markdown(project)
result = md.convert(text)
result = bleach.clean(md.convert(text), tags=ALLOWED_TAGS)
return (result, md.extracted_data)

2
tests/integration/test_mdrender.py
View File

@ -33,7 +33,7 @@ dummy_project.slug = "test"
def test_proccessor_valid_user_mention():
factories.UserFactory(username="user1", full_name="test name")
result = render(dummy_project, "**@user1**")
expected_result = "<p><strong><a alt=\"test name\" class=\"mention\" href=\"/profile/user1\" title=\"test name\">&commat;user1</a></strong></p>"
expected_result = "<p><strong><a alt=\"test name\" class=\"mention\" href=\"/profile/user1\" title=\"test name\">@user1</a></strong></p>"
assert result == expected_result

14
tests/unit/test_mdrender.py
View File

@ -43,7 +43,7 @@ def test_proccessor_valid_us_reference():
instance.content_type.model = "userstory"
instance.content_object.subject = "test"
result = render(dummy_project, "**#1**")
expected_result = '<p><strong><a alt="test" class="reference user-story" href="http://localhost:9001/project/test/us/1" title="test">&num;1</a></strong></p>'
expected_result = '<p><strong><a alt="test" class="reference user-story" href="http://localhost:9001/project/test/us/1" title="test">#1</a></strong></p>'
assert result == expected_result
@ -53,7 +53,7 @@ def test_proccessor_valid_issue_reference():
instance.content_type.model = "issue"
instance.content_object.subject = "test"
result = render(dummy_project, "**#2**")
expected_result = '<p><strong><a alt="test" class="reference issue" href="http://localhost:9001/project/test/issue/2" title="test">&num;2</a></strong></p>'
expected_result = '<p><strong><a alt="test" class="reference issue" href="http://localhost:9001/project/test/issue/2" title="test">#2</a></strong></p>'
assert result == expected_result
@ -63,7 +63,7 @@ def test_proccessor_valid_task_reference():
instance.content_type.model = "task"
instance.content_object.subject = "test"
result = render(dummy_project, "**#3**")
expected_result = '<p><strong><a alt="test" class="reference task" href="http://localhost:9001/project/test/task/3" title="test">&num;3</a></strong></p>'
expected_result = '<p><strong><a alt="test" class="reference task" href="http://localhost:9001/project/test/task/3" title="test">#3</a></strong></p>'
assert result == expected_result
@ -140,20 +140,20 @@ def test_render_url_automail():
def test_render_absolute_image():
assert render(dummy_project, "![test](/test.png)") == "<p><img alt=\"test\" src=\"/test.png\" /></p>"
assert render(dummy_project, "![test](/test.png)") == "<p><img alt=\"test\" src=\"/test.png\"></p>"
def test_render_relative_image():
assert render(dummy_project, "![test](test.png)") == "<p><img alt=\"test\" src=\"test.png\" /></p>"
assert render(dummy_project, "![test](test.png)") == "<p><img alt=\"test\" src=\"test.png\"></p>"
def test_render_triple_quote_code():
expected_result = "<div class=\"codehilite\"><pre><span class=\"n\">print</span><span class=\"p\">(</span><span class=\"s\">&quot;test&quot;</span><span class=\"p\">)</span>\n</pre></div>"
expected_result = "<div class=\"codehilite\"><pre><span class=\"n\">print</span><span class=\"p\">(</span><span class=\"s\">\"test\"</span><span class=\"p\">)</span>\n</pre></div>"
assert render(dummy_project, "```\nprint(\"test\")\n```") == expected_result
def test_render_triple_quote_and_lang_code():
expected_result = "<div class=\"codehilite\"><pre><span class=\"k\">print</span><span class=\"p\">(</span><span class=\"s\">&quot;test&quot;</span><span class=\"p\">)</span>\n</pre></div>"
expected_result = "<div class=\"codehilite\"><pre><span class=\"k\">print</span><span class=\"p\">(</span><span class=\"s\">\"test\"</span><span class=\"p\">)</span>\n</pre></div>"
assert render(dummy_project, "```python\nprint(\"test\")\n```") == expected_result