fix xss

liangliangyy · May 29, 2023 · 25cde2d · 25cde2d
1 parent ad98e00
commit 25cde2d
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/blog/templatetags/blog_tags.py b/blog/templatetags/blog_tags.py
@@ -14,7 +14,7 @@
 
 from blog.models import Article, Category, Tag, Links, SideBar, LinkShowType
 from comments.models import Comment
-from djangoblog.utils import CommonMarkdown
+from djangoblog.utils import CommonMarkdown, sanitize_html
 from djangoblog.utils import cache
 from djangoblog.utils import get_current_site
 from oauth.models import OAuthUser
@@ -55,6 +55,13 @@ def get_markdown_toc(content):
     return mark_safe(toc)
 
 
+@register.filter()
+@stringfilter
+def comment_markdown(content):
+    content = CommonMarkdown.get_markdown(content)
+    return mark_safe(sanitize_html(content))
+
+
 @register.filter(is_safe=True)
 @stringfilter
 def truncatechars_content(content):

diff --git a/djangoblog/utils.py b/djangoblog/utils.py
@@ -9,6 +9,7 @@
 import uuid
 from hashlib import sha256
 
+import bleach
 import markdown
 import requests
 from django.conf import settings
@@ -220,3 +221,12 @@ def get_resource_url():
     else:
         site = get_current_site()
         return 'http://' + site.domain + '/static/'
+
+
+ALLOWED_TAGS = ['a', 'abbr', 'acronym', 'b', 'blockquote', 'code', 'em', 'i', 'li', 'ol', 'pre', 'strong', 'ul', 'h1',
+                'h2', 'p']
+ALLOWED_ATTRIBUTES = {'a': ['href', 'title'], 'abbr': ['title'], 'acronym': ['title']}
+
+
+def sanitize_html(html):
+    return bleach.clean(html, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES)
diff --git a/templates/comments/tags/comment_item.html b/templates/comments/tags/comment_item.html
@@ -24,7 +24,7 @@
             <div>{{ comment_item.created_time }}</div>
             <div>回复给:@{{ comment_item.author.parent_comment.username }}</div>
         </div>
-        <p>{{ comment_item.body|escape|custom_markdown }}</p>
+        <p>{{ comment_item.body|escape|comment_markdown }}</p>
         <div class="reply"><a rel="nofollow" class="comment-reply-link"
                               href="javascript:void(0)"
                               onclick="do_reply({{ comment_item.pk }})"

diff --git a/templates/comments/tags/comment_item_tree.html b/templates/comments/tags/comment_item_tree.html
@@ -32,7 +32,7 @@
             {% endif %}
         </p>
 
-        <p>{{ comment_item.body|escape|custom_markdown }}</p>
+        <p>{{ comment_item.body|escape|comment_markdown }}</p>
 
         <div class="reply"><a rel="nofollow" class="comment-reply-link"
                               href="javascript:void(0)"