summaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
Diffstat (limited to 'core')
-rw-r--r--core/html.py24
1 files changed, 22 insertions, 2 deletions
diff --git a/core/html.py b/core/html.py
index e63dda3..fd41a50 100644
--- a/core/html.py
+++ b/core/html.py
@@ -1,11 +1,31 @@
import bleach
+from bleach.linkifier import LinkifyFilter
from django.utils.safestring import mark_safe
+def allow_a(tag: str, name: str, value: str):
+ if name in ["href", "title", "class"]:
+ return True
+ elif name == "rel":
+ # Only allow rel attributes with a small subset of values
+ # (we're defending against, for example, rel=me)
+ rel_values = value.split()
+ if all(v in ["nofollow", "noopener", "noreferrer", "tag"] for v in rel_values):
+ return True
+ return False
+
+
def sanitize_post(post_html: str) -> str:
"""
Only allows a, br, p and span tags, and class attributes.
"""
- return mark_safe(
- bleach.clean(post_html, tags=["a", "br", "p", "span"], attributes=["class"])
+ cleaner = bleach.Cleaner(
+ tags=["a", "br", "p", "span"],
+ attributes={ # type:ignore
+ "a": allow_a,
+ "p": ["class"],
+ "span": ["class"],
+ },
+ filters=[LinkifyFilter],
)
+ return mark_safe(cleaner.clean(post_html))