fedora-hubs

Clone

#221 Library widget and module to clean user input text
Merged 7 years ago by pingou. Opened 7 years ago by pingou.
pingou/fedora-hubs library_widget  into  develop

file modified
+2 
@@ -4,6 +4,7 @@ 
 

  from hubs.widgets import sticky
 

  from hubs.widgets import about
 

  from hubs.widgets import badges
 

+ from hubs.widgets import library
 

  from hubs.widgets import linechart
 

  from hubs.widgets import fedmsgstats
 

  from hubs.widgets import feed
 
@@ -27,6 +28,7 @@ 
 

      'sticky': sticky,
 

      'about': about,
 

      'badges': badges,
 

+     'library': library,
 

      'linechart': linechart,
 

      'fedmsgstats': fedmsgstats,
 

      'feed': feed,

file added
+40 
@@ -0,0 +1,40 @@ 
 

+ import urlparse
 

+ 

+ import bleach
 

+ 

+ 

+ def filter_img_src(name, value):
 

+     ''' Filter in img html tags images coming from a different domain. '''
 

+     import hubs.app
 

+     if name in ('alt', 'height', 'width', 'class'):
 

+         return True
 

+     if name == 'src':
 

+         p = urlparse.urlparse(value)
 

+         return (not p.netloc) or p.netloc == urlparse.urlparse(
 

+             hubs.app.app.config['APP_URL']).netloc
 

+     return False
 

+ 

+ 

+ def clean(text, ignore=None):
 

+     """ For a given html text, escape everything we do not want to support
 

+     to avoid potential security breach.
 

+     """
 

+     if ignore and not isinstance(ignore, (tuple, set, list)):
 

+         ignore = [ignore]
 

+ 

+     attrs = bleach.ALLOWED_ATTRIBUTES
 

+     if not ignore or not 'img' in ignore:
 

+         attrs['img'] = filter_img_src
 

+ 

+     tags = bleach.ALLOWED_TAGS + [
 

+         'p', 'br', 'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
 

+         'table', 'td', 'tr', 'th',
 

+         'col', 'tbody', 'pre', 'img', 'hr', 'dl', 'dt', 'dd', 'span',
 

+         'kbd', 'var',
 

+     ]
 

+     if ignore:
 

+         for tag in ignore:
 

+             if tag in tags:
 

+                 tags.remove(tag)
 

+ 

+     return bleach.clean(text, tags=tags, attributes=attrs)

file added
+33 
@@ -0,0 +1,33 @@ 
 

+ from hubs.hinting import hint, prefixed as _
 

+ from hubs.widgets.chrome import panel
 

+ from hubs.widgets.base import argument
 

+ from hubs.widgets import clean_input
 

+ from hubs.widgets import templating
 

+ 

+ import hubs.validators as validators
 

+ 

+ chrome = panel("Library")
 

+ template = templating.environment.get_template('templates/library.html')
 

+ position = 'both'
 

+ 

+ 

+ @argument(name="urls", default=None,
 

+           validator=validators.text,
 

+           help="A comma separated list of URLs to add to the library. "
 

+           "External links must include the whole link (starting with http...)")
 

+ def data(session, widget, urls):
 

+     urls = [
 

+         clean_input.clean('<a href="{0}">{0}</a>'.format(u.encode('utf-8').strip()))
 

+         for u in widget.config.get('urls', '').split(',')
 

+         if u.encode('utf-8').strip()
 

+     ]
 

+     return dict(urls=urls)
 

+ 

+ 

+ @hint(topics=[_('hubs.widget.update')])
 

+ def should_invalidate(message, session, widget):
 

+     if not message['topic'].endswith('hubs.widget.update'):
 

+         return False
 

+     if message['msg']['widget']['id'] != widget.id:
 

+         return False
 

+     return True

file added
+11 
@@ -0,0 +1,11 @@ 
 

+ <div class="rules-container">
 

+   <div class="row">
 

+     <ul>
 

+     {% for url in urls %}
 

+     <li>
 

+       {{ url }}
 

+     </li>
 

+     {% endfor %}
 

+     </ul>
 

+   </div>
 

+ </div>

file modified
+1 
@@ -1,4 +1,5 @@ 
 

  arrow
 

+ bleach
 

  datanommer.models
 

  dogpile.cache
 

  fedmsg

no initial comment

is library widget supposed to be relative to the hubs domain or can it be any url?

The widget crashes when given unicode characters. 

File "<snip>/library.py", line 21, in data
  if u.strip()
UnicodeEncodeError 'ascii' codec can't encode character u'\u200b'

Otherwise LGTM after rebase. The clean_input will be helpful for SavedNotifications

We may need to mention to the user that they need to append http:// to the links because what I was refering in my earlier comment is that when you type google.com it will redirect you to localhost:5000/skrzepto/google.com.

is library widget supposed to be relative to the hubs domain or can it be any url?

It can be any url

We may need to mention to the user that they need to append http://

Sure thing, just not quite sure how we could right now.

The widget crashes when given unicode characters

Which input did you test it with?

Sure thing, just not quite sure how we could right now.

We could put something in the help text along the lines of 'External links must include the whole link (that includes http://)'

Which input did you test it with?

I tested with a couple of different characters: £ © á etc

rebased
7 years ago

Thanks :)

Pull-Request has been merged by pingou
7 years ago
Metadata
None
No Tags
Changes Summary 5
+2 -0
file changed
hubs/widgets/__init__.py
+40
file added
hubs/widgets/clean_input.py
+33
file added
hubs/widgets/library.py
+11
file added
hubs/widgets/templates/library.html
+1 -0
file changed
requirements.txt
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.