Merge pull request #662 from liangliangyy/dev

fix xss
3 years ago · c2bfdb18c5
parent ad98e00f7e 25cde2da68
commit c2bfdb18c5
4 changed files with 20 additions and 3 deletions
--- a/blog/templatetags/blog_tags.py
+++ b/blog/templatetags/blog_tags.py
@ -14,7 +14,7 @@ from django.utils.safestring import mark_safe

 from blog.models import Article, Category, Tag, Links, SideBar, LinkShowType
 from comments.models import Comment
-from djangoblog.utils import CommonMarkdown
+from djangoblog.utils import CommonMarkdown, sanitize_html
 from djangoblog.utils import cache
 from djangoblog.utils import get_current_site
 from oauth.models import OAuthUser
@ -55,6 +55,13 @@ def get_markdown_toc(content):
    return mark_safe(toc)


+@register.filter()
+@stringfilter
+def comment_markdown(content):
+    content = CommonMarkdown.get_markdown(content)
+    return mark_safe(sanitize_html(content))
+
+
@register.filter(is_safe=True)
@stringfilter
 def truncatechars_content(content):
--- a/djangoblog/utils.py
+++ b/djangoblog/utils.py
@ -9,6 +9,7 @@ import string
 import uuid
 from hashlib import sha256

+import bleach
 import markdown
 import requests
 from django.conf import settings
@ -220,3 +221,12 @@ def get_resource_url():
    else:
        site = get_current_site()
        return 'http://' + site.domain + '/static/'
+
+
+ALLOWED_TAGS = ['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li', 'ol', 'pre', 'strong', 'ul', 'h1',
+                'h2', 'p']
+ALLOWED_ATTRIBUTES = {'a': ['href', 'title'], 'abbr': ['title'], 'acronym': ['title']}
+
+
+def sanitize_html(html):
+    return bleach.clean(html, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES)
--- a/templates/comments/tags/comment_item.html
+++ b/templates/comments/tags/comment_item.html
@ -24,7 +24,7 @@
            <div>{{ comment_item.created_time }}</div>
            <div>回复给:@{{ comment_item.author.parent_comment.username }}</div>
        </div>
-        <p>{{ comment_item.body|escape|custom_markdown }}</p>
+        <p>{{ comment_item.body|escape|comment_markdown }}</p>
        <div class="reply"><a rel="nofollow" class="comment-reply-link"
                              href="javascript:void(0)"
                              onclick="do_reply({{ comment_item.pk }})"
--- a/templates/comments/tags/comment_item_tree.html
+++ b/templates/comments/tags/comment_item_tree.html
@ -32,7 +32,7 @@
            {% endif %}
        </p>

-        <p>{{ comment_item.body|escape|custom_markdown }}</p>
+        <p>{{ comment_item.body|escape|comment_markdown }}</p>

        <div class="reply"><a rel="nofollow" class="comment-reply-link"
                              href="javascript:void(0)"