Replace bleach with nh3

lqez · Feb 16, 2024 · 8f3ff05 · 8f3ff05
1 parent bd94621
commit 8f3ff05
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 21 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -3,6 +3,8 @@
  - Hotfix for wrong font urls
  - Bump Summernote to 0.8.13
  - Drop support for Python<3.8 and Django<3.2
+ - Replaced (deprecated) bleach sanitation usage with nh3. Note that the
+   styles content sanitation is no longer doable.
 
 0.8.19.0
 --------

diff --git a/README.md b/README.md
@@ -119,7 +119,11 @@ Last, please don't forget to use `safe` templatetag while displaying in template
 
     {{ foobar|safe }}
 
-__Warning__: Please mind, that the widget does not provide any escaping. If you expose the widget to external users without taking care of this, it could potentially lead to an injection vulnerability. Therefore you can use the SummernoteTextFormField or SummernoteTextField, which escape all harmful tags through mozilla's package bleach:
+__Warning__: Please mind, that the widget does not provide any escaping. If
+you expose the widget to external users without taking care of this, it could
+potentially lead to an injection vulnerability. Therefore you can use the
+SummernoteTextFormField or SummernoteTextField, which escape all harmful tags
+through nh3 package:
 
 In `forms`,
 ```python

diff --git a/django_summernote/fields.py b/django_summernote/fields.py
@@ -1,8 +1,8 @@
 from django.db import models
 from django.forms import fields
 
-import bleach
-from django_summernote.settings import ALLOWED_TAGS, ATTRIBUTES, STYLES
+import nh3
+from django_summernote.settings import ALLOWED_TAGS, ATTRIBUTES
 from django_summernote.widgets import SummernoteWidget
 
 # code based on https://github.com/shaunsephton/django-ckeditor
@@ -15,8 +15,9 @@ def __init__(self, *args, **kwargs):
 
     def to_python(self, value):
         value = super().to_python(value)
-        return bleach.clean(
-            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES, styles=STYLES)
+        return nh3.clean(
+            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES
+        )
 
 
 class SummernoteTextField(models.TextField):
@@ -26,5 +27,6 @@ def formfield(self, **kwargs):
 
     def to_python(self, value):
         value = super().to_python(value)
-        return bleach.clean(
-            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES, styles=STYLES)
+        return nh3.clean(
+            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES
+        )
diff --git a/django_summernote/settings.py b/django_summernote/settings.py
@@ -1,15 +1,11 @@
-ALLOWED_TAGS = [
+ALLOWED_TAGS = {
     'a', 'div', 'p', 'span', 'img', 'em', 'i', 'li', 'ol', 'ul', 'strong', 'br',
     'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
     'table', 'tbody', 'thead', 'tr', 'td',
     'abbr', 'acronym', 'b', 'blockquote', 'code', 'strike', 'u', 'sup', 'sub',
-]
-
-STYLES = [
-    'background-color', 'font-size', 'line-height', 'color', 'font-family'
-]
+}
 
 ATTRIBUTES = {
-    '*': ['style', 'align', 'title', ],
-    'a': ['href', ],
+    '*': {'style', 'align', 'title'},
+    'a': {'href'},
 }
diff --git a/django_summernote/test_django_summernote.py b/django_summernote/test_django_summernote.py
@@ -88,10 +88,10 @@ class SimpleForm(forms.Form):
         assert url in html
         assert 'id="id_foobar"' in html
 
-        illegal_tags = '<script></script>'
+        illegal_tags = '<unknown>dangerous</unknown>'
         form_field = SummernoteTextFormField()
         cleaned_text = form_field.clean(illegal_tags)
-        self.assertEqual(cleaned_text, '&lt;script&gt;&lt;/script&gt;')
+        self.assertEqual(cleaned_text, 'dangerous')
 
     def test_field(self):
         from django import forms
@@ -112,11 +112,11 @@ class Meta:
         assert url in html
         assert 'id="id_foobar"' in html
 
-        illegal_tags = '<script></script>'
+        illegal_tags = '<unknown>dangerous</unknown>'
         model_field = SummernoteTextField()
         model_instance = SimpleModel1()
         cleaned_text = model_field.clean(illegal_tags, model_instance)
-        self.assertEqual(cleaned_text, '&lt;script&gt;&lt;/script&gt;')
+        self.assertEqual(cleaned_text, 'dangerous')
 
     def test_empty(self):
         from django import forms

diff --git a/django_summernote/test_settings.py b/django_summernote/test_settings.py
@@ -18,6 +18,8 @@
 MEDIA_URL = '/media/'
 MEDIA_ROOT = 'test_media'
 
+USE_TZ = True
+
 SECRET_KEY = 'django_summernote'
 
 ROOT_URLCONF = 'django_summernote.urls'

diff --git a/requirements.txt b/requirements.txt
@@ -1,2 +1,2 @@
 django
-bleach
+nh3
diff --git a/setup.py b/setup.py
@@ -38,7 +38,7 @@
     description='Summernote plugin for Django',
     classifiers=CLASSIFIERS,
 
-    install_requires=['django', 'bleach'],
+    install_requires=['django', 'nh3'],
     extras_require={
         'dev': [
             'django-dummy-plug',
-Original file line number
+Diff line change
@@ -1,2 +1,2 @@
     django
-    bleach
+    nh3