From b5cacb09e3a8e9f04bbf92d179f9c2c96ea05011 Mon Sep 17 00:00:00 2001 From: Andrew Godwin Date: Sun, 13 Nov 2022 19:03:43 -0700 Subject: Permit Mastodon's weird HTML through --- core/html.py | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'core') diff --git a/core/html.py b/core/html.py index e63dda3..fd41a50 100644 --- a/core/html.py +++ b/core/html.py @@ -1,11 +1,31 @@ import bleach +from bleach.linkifier import LinkifyFilter from django.utils.safestring import mark_safe +def allow_a(tag: str, name: str, value: str): + if name in ["href", "title", "class"]: + return True + elif name == "rel": + # Only allow rel attributes with a small subset of values + # (we're defending against, for example, rel=me) + rel_values = value.split() + if all(v in ["nofollow", "noopener", "noreferrer", "tag"] for v in rel_values): + return True + return False + + def sanitize_post(post_html: str) -> str: """ Only allows a, br, p and span tags, and class attributes. """ - return mark_safe( - bleach.clean(post_html, tags=["a", "br", "p", "span"], attributes=["class"]) + cleaner = bleach.Cleaner( + tags=["a", "br", "p", "span"], + attributes={ # type:ignore + "a": allow_a, + "p": ["class"], + "span": ["class"], + }, + filters=[LinkifyFilter], ) + return mark_safe(cleaner.clean(post_html)) -- cgit v1.2.3