pxi4cupse
/
DjangoBlog
1
0
Fork 0
Code Issues Pull Requests 4 Packages Projects Releases Wiki Activity

Merge pull request #662 from liangliangyy/dev

Browse Source 
fix xss
pull/5/head
且听风吟 3 years ago committed by GitHub
parent ad98e00f7e 25cde2da68
commit c2bfdb18c5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File

9
blog/templatetags/blog_tags.py
Unescape View File

@ -14,7 +14,7 @@ from django.utils.safestring import mark_safe
from blog.models import Article, Category, Tag, Links, SideBar, LinkShowType from blog.models import Article, Category, Tag, Links, SideBar, LinkShowType
from comments.models import Comment from comments.models import Comment
from djangoblog.utils import CommonMarkdown from djangoblog.utils import CommonMarkdown, sanitize_html
from djangoblog.utils import cache from djangoblog.utils import cache
from djangoblog.utils import get_current_site from djangoblog.utils import get_current_site
from oauth.models import OAuthUser from oauth.models import OAuthUser
@ -55,6 +55,13 @@ def get_markdown_toc(content):
return mark_safe(toc) return mark_safe(toc)
@register.filter()
@stringfilter
def comment_markdown(content):
content = CommonMarkdown.get_markdown(content)
return mark_safe(sanitize_html(content))
@register.filter(is_safe=True) @register.filter(is_safe=True)
@stringfilter @stringfilter
def truncatechars_content(content): def truncatechars_content(content):

10
djangoblog/utils.py
Unescape View File

@ -9,6 +9,7 @@ import string
import uuid import uuid
from hashlib import sha256 from hashlib import sha256
import bleach
import markdown import markdown
import requests import requests
from django.conf import settings from django.conf import settings
@ -220,3 +221,12 @@ def get_resource_url():
else: else:
site = get_current_site() site = get_current_site()
return 'http://' + site.domain + '/static/' return 'http://' + site.domain + '/static/'
ALLOWED_TAGS = ['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li', 'ol', 'pre', 'strong', 'ul', 'h1',
'h2', 'p']
ALLOWED_ATTRIBUTES = {'a': ['href', 'title'], 'abbr': ['title'], 'acronym': ['title']}
def sanitize_html(html):
return bleach.clean(html, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES)

2
templates/comments/tags/comment_item.html
Unescape View File

@ -24,7 +24,7 @@
<div>{{ comment_item.created_time }}</div> <div>{{ comment_item.created_time }}</div>
<div>回复给:@{{ comment_item.author.parent_comment.username }}</div> <div>回复给:@{{ comment_item.author.parent_comment.username }}</div>
</div> </div>
<p>{{ comment_item.body|escape|custom_markdown }}</p> <p>{{ comment_item.body|escape|comment_markdown }}</p>
<div class="reply"><a rel="nofollow" class="comment-reply-link" <div class="reply"><a rel="nofollow" class="comment-reply-link"
href="javascript:void(0)" href="javascript:void(0)"
onclick="do_reply({{ comment_item.pk }})" onclick="do_reply({{ comment_item.pk }})"

2
templates/comments/tags/comment_item_tree.html
Unescape View File

@ -32,7 +32,7 @@
{% endif %} {% endif %}
</p> </p>
<p>{{ comment_item.body|escape|custom_markdown }}</p> <p>{{ comment_item.body|escape|comment_markdown }}</p>
<div class="reply"><a rel="nofollow" class="comment-reply-link" <div class="reply"><a rel="nofollow" class="comment-reply-link"
href="javascript:void(0)" href="javascript:void(0)"

Write Preview
Loading…
Cancel
Save