🔒 ✨ bleach [#36]

zackmdavis · Nov 1, 2014 · 35d8662 · 35d8662
1 parent 883b695
commit 35d8662
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 3 deletions.
diff --git a/core/forms.py b/core/forms.py
@@ -1,12 +1,18 @@
 from django import forms
 
+import bleach
+
 from core.models import FinetoothUser
 
 class CommentForm(forms.Form):
     content = forms.CharField(
         label="", widget=forms.Textarea(attrs={'rows': 6})
     )
 
+    def clean_content(self):
+        return bleach.clean(self.cleaned_data.get('content'))
+
+
 class SignupForm(forms.ModelForm):
     class Meta:
         model = FinetoothUser

diff --git a/core/tests/view_tests.py b/core/tests/view_tests.py
@@ -132,6 +132,17 @@ def test_can_submit_comment(self):
             ) + fragment_identifier
         )
 
+    def test_against_html_injection(self):
+        self.client.login(
+            username=self.the_user.username, password=f.FACTORY_USER_PASSWORD
+        )
+        response = self.client.post(
+            reverse("add_comment", args=(self.the_post.pk,)),
+            {'content': "and it's what my <textarea>"}
+        )
+        comment = self.the_post.comment_set.filter(commenter=self.the_user)[0]
+        self.assertNotIn("<textarea>", comment.content)
+
     def test_do_not_panic_on_blank_comment(self):
         self.client.login(
             username=self.the_user.username, password=f.FACTORY_USER_PASSWORD

diff --git a/core/views/views.py b/core/views/views.py
@@ -1,6 +1,8 @@
 import json
 from datetime import datetime
 
+import bleach
+
 from django.shortcuts import render, redirect
 from django.http import HttpResponse
 from django.http import HttpResponseForbidden
@@ -73,7 +75,7 @@ def show_post(request, year, month, slug):
 def new_post(request):
     url = HttpRequest.build_absolute_uri(request, reverse("home"))
     if request.method == "POST":
-        content = request.POST["content"]
+        content = bleach.clean(request.POST["content"])
         title = request.POST["title"]
         slug = request.POST["slug"]
         new_post = Post.objects.create(

diff --git a/core/votable.py b/core/votable.py
@@ -7,7 +7,7 @@
 
 class Tagnostic(HTMLParser):
     def __init__(self, content):
-        super().__init__(convert_charrefs=True)
+        super().__init__(convert_charrefs=False)
         self.content = []
         self.feed(markdown_to_html(content, lazy_ol=False))
 

diff --git a/requirements.txt b/requirements.txt
@@ -1,5 +1,7 @@
+bleach==1.4
 Django==1.7
 django-bootstrap3==4.11.0
+django-debug-toolbar==1.2.1
 Markdown==2.4.1
 jasmine==2.0.1
 factory_boy==2.4.1
diff --git a/settings.py b/settings.py
@@ -29,6 +29,7 @@
     'django.contrib.messages',
     'django.contrib.staticfiles',
     'bootstrap3',
+    'debug_toolbar',
     'core',
 )
 

diff --git a/templates/includes/comment.html b/templates/includes/comment.html
@@ -7,7 +7,7 @@
   </a>
   &bull; <em>{{ comment.published_at }}</em>
   </div>
-{{ comment.render|safe }}
+  {{ comment.render|safe }}
   <p>
   <a href="javascript:void(0);" class="comment-tool reply-form-link"
      data-comment-pk="{{ comment.pk }}" data-post-pk="{{ post.pk }}">