From ab60ad11369f05b5134258a53d6753d8ea4bcb69 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Jun 13 2015 08:32:45 +0000 Subject: [PATCH 1/4] Add bleach as a dependency --- diff --git a/files/pagure.spec b/files/pagure.spec index c3c0a1d..4ac684f 100644 --- a/files/pagure.spec +++ b/files/pagure.spec @@ -18,6 +18,7 @@ BuildRequires: python-nose BuildRequires: python-alembic BuildRequires: python-arrow +BuildRequires: python-bleach BuildRequires: python-blinker BuildRequires: python-chardet BuildRequires: python-docutils @@ -47,6 +48,7 @@ Requires: python-sqlalchemy > 0.8 Requires: python-alembic Requires: python-arrow +Requires: python-bleach Requires: python-blinker Requires: python-chardet Requires: python-docutils diff --git a/requirements.txt b/requirements.txt index f90ae69..87fe8f3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,6 +2,7 @@ # Use this file by running "$ pip install -r requirements.txt" alembic arrow +bleach blinker chardet docutils From 267b160ca0cd697f3ce7109756b151d11818a35b Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Jun 13 2015 08:32:54 +0000 Subject: [PATCH 2/4] Re-order the imports and use bleach to sanitize the html returned --- diff --git a/pagure/ui/filters.py b/pagure/ui/filters.py index 6c03e52..b8cab5f 100644 --- a/pagure/ui/filters.py +++ b/pagure/ui/filters.py @@ -11,8 +11,9 @@ import datetime import textwrap -import flask import arrow +import bleach +import flask import markdown from pygments import highlight @@ -305,9 +306,7 @@ def no_js(content): """ Template filter replacing ', '</script>') - return content + return bleach.clean(content) @APP.template_filter('toRGB') From ddc44dc133760c91ab2111aeecdc0bfc84cd6a6e Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Jun 13 2015 12:27:16 +0000 Subject: [PATCH 3/4] Adjust the cleaning with bleach to be more flexible towards what we allow --- diff --git a/pagure/ui/filters.py b/pagure/ui/filters.py index b8cab5f..a395752 100644 --- a/pagure/ui/filters.py +++ b/pagure/ui/filters.py @@ -10,6 +10,7 @@ import datetime import textwrap +import urlparse import arrow import bleach @@ -301,12 +302,32 @@ def insert_div(content): return output +def filter_img_src(name, value): + ''' Filter in img html tags images coming from a different domain. ''' + if name in ('alt', 'height', 'width', 'class'): + return True + if name == 'src': + p = urlparse.urlparse(value) + return (not p.netloc) \ + or p.netloc == urlparse.urlparse(APP.config['APP_URL']).netloc + return False + + @APP.template_filter('noJS') def no_js(content): """ Template filter replacing by </script> """ + attrs = bleach.ALLOWED_ATTRIBUTES + attrs['img'] = filter_img_src return bleach.clean( content, tags=bleach.ALLOWED_TAGS + [ 'p', 'br', 'div', 'h1', 'h2', 'h3', 'table', 'td', 'tr', 'th', - 'col', 'tbody', 'pre', 'img' + 'col', 'tbody', 'pre', 'img', ], - attributes={ - 'img': filter_img_src, - } + attributes=attrs, )