| |
@@ -10,9 +10,11 @@
|
| |
|
| |
import datetime
|
| |
import textwrap
|
| |
+ import urlparse
|
| |
|
| |
- import flask
|
| |
import arrow
|
| |
+ import bleach
|
| |
+ import flask
|
| |
import markdown
|
| |
|
| |
from pygments import highlight
|
| |
@@ -300,14 +302,32 @@
|
| |
return output
|
| |
|
| |
|
| |
+ def filter_img_src(name, value):
|
| |
+ ''' Filter in img html tags images coming from a different domain. '''
|
| |
+ if name in ('alt', 'height', 'width', 'class'):
|
| |
+ return True
|
| |
+ if name == 'src':
|
| |
+ p = urlparse.urlparse(value)
|
| |
+ return (not p.netloc) \
|
| |
+ or p.netloc == urlparse.urlparse(APP.config['APP_URL']).netloc
|
| |
+ return False
|
| |
+
|
| |
+
|
| |
@APP.template_filter('noJS')
|
| |
def no_js(content):
|
| |
""" Template filter replacing <script by <script and </script> by
|
| |
</script>
|
| |
"""
|
| |
- content = content.replace('<script', '<script')
|
| |
- content = content.replace('</script>', '</script>')
|
| |
- return content
|
| |
+ attrs = bleach.ALLOWED_ATTRIBUTES
|
| |
+ attrs['img'] = filter_img_src
|
| |
+ return bleach.clean(
|
| |
+ content,
|
| |
+ tags=bleach.ALLOWED_TAGS + [
|
| |
+ 'p', 'br', 'div', 'h1', 'h2', 'h3', 'table', 'td', 'tr', 'th',
|
| |
+ 'col', 'tbody', 'pre', 'img',
|
| |
+ ],
|
| |
+ attributes=attrs,
|
| |
+ )
|
| |
|
| |
|
| |
@APP.template_filter('toRGB')
|
| |