From 25cde2da68bf5881a3132b225a850b738606dc6a Mon Sep 17 00:00:00 2001
From: liangliangyy <liangliangyy@gmail.com>
Date: Mon, 29 May 2023 12:59:49 +0800
Subject: [PATCH] fix xss

---
 blog/templatetags/blog_tags.py                 |  9 ++++++++-
 djangoblog/utils.py                            | 10 ++++++++++
 templates/comments/tags/comment_item.html      |  2 +-
 templates/comments/tags/comment_item_tree.html |  2 +-
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/blog/templatetags/blog_tags.py b/blog/templatetags/blog_tags.py
index 64925e8..db9c3c9 100644
--- a/blog/templatetags/blog_tags.py
+++ b/blog/templatetags/blog_tags.py
@@ -14,7 +14,7 @@ from django.utils.safestring import mark_safe
 
 from blog.models import Article, Category, Tag, Links, SideBar, LinkShowType
 from comments.models import Comment
-from djangoblog.utils import CommonMarkdown
+from djangoblog.utils import CommonMarkdown, sanitize_html
 from djangoblog.utils import cache
 from djangoblog.utils import get_current_site
 from oauth.models import OAuthUser
@@ -55,6 +55,13 @@ def get_markdown_toc(content):
     return mark_safe(toc)
 
 
+@register.filter()
+@stringfilter
+def comment_markdown(content):
+    content = CommonMarkdown.get_markdown(content)
+    return mark_safe(sanitize_html(content))
+
+
 @register.filter(is_safe=True)
 @stringfilter
 def truncatechars_content(content):
diff --git a/djangoblog/utils.py b/djangoblog/utils.py
index 160f9b8..57f63dc 100644
--- a/djangoblog/utils.py
+++ b/djangoblog/utils.py
@@ -9,6 +9,7 @@ import string
 import uuid
 from hashlib import sha256
 
+import bleach
 import markdown
 import requests
 from django.conf import settings
@@ -220,3 +221,12 @@ def get_resource_url():
     else:
         site = get_current_site()
         return 'http://' + site.domain + '/static/'
+
+
+ALLOWED_TAGS = ['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li', 'ol', 'pre', 'strong', 'ul', 'h1',
+                'h2', 'p']
+ALLOWED_ATTRIBUTES = {'a': ['href', 'title'], 'abbr': ['title'], 'acronym': ['title']}
+
+
+def sanitize_html(html):
+    return bleach.clean(html, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES)
diff --git a/templates/comments/tags/comment_item.html b/templates/comments/tags/comment_item.html
index ab71fd2..feb8903 100644
--- a/templates/comments/tags/comment_item.html
+++ b/templates/comments/tags/comment_item.html
@@ -24,7 +24,7 @@
             <div>{{ comment_item.created_time }}</div>
             <div>回复给:@{{ comment_item.author.parent_comment.username }}</div>
         </div>
-        <p>{{ comment_item.body|escape|custom_markdown }}</p>
+        <p>{{ comment_item.body|escape|comment_markdown }}</p>
         <div class="reply"><a rel="nofollow" class="comment-reply-link"
                               href="javascript:void(0)"
                               onclick="do_reply({{ comment_item.pk }})"
diff --git a/templates/comments/tags/comment_item_tree.html b/templates/comments/tags/comment_item_tree.html
index 8c12782..bdfe9e2 100644
--- a/templates/comments/tags/comment_item_tree.html
+++ b/templates/comments/tags/comment_item_tree.html
@@ -32,7 +32,7 @@
             {% endif %}
         </p>
 
-        <p>{{ comment_item.body|escape|custom_markdown }}</p>
+        <p>{{ comment_item.body|escape|comment_markdown }}</p>
 
         <div class="reply"><a rel="nofollow" class="comment-reply-link"
                               href="javascript:void(0)"