removed dependency and upgraded bleach clean

cookbook/helper/template_helper.py

@@ -2,7 +2,6 @@ from gettext import gettext as _
 
 import bleach
 import markdown as md
-from bleach_allowlist import markdown_attrs, markdown_tags
 from jinja2 import Template, TemplateSyntaxError, UndefinedError
 from markdown.extensions.tables import TableExtension
 
@@ -53,9 +52,17 @@ class IngredientObject(object):
 def render_instructions(step):  # TODO deduplicate markdown cleanup code
     instructions = step.instruction
 
-    tags = markdown_tags + [
+    tags = {
-        'pre', 'table', 'td', 'tr', 'th', 'tbody', 'style', 'thead', 'img'
+        "h1", "h2", "h3", "h4", "h5", "h6",
-    ]
+        "b", "i", "strong", "em", "tt",
+        "p", "br",
+        "span", "div", "blockquote", "code", "pre", "hr",
+        "ul", "ol", "li", "dd", "dt",
+        "img",
+        "a",
+        "sub", "sup",
+        'pre', 'table', 'td', 'tr', 'th', 'tbody', 'style', 'thead'
+    }
     parsed_md = md.markdown(
         instructions,
         extensions=[
@@ -63,7 +70,11 @@ def render_instructions(step):  # TODO deduplicate markdown cleanup code
             UrlizeExtension(), MarkdownFormatExtension()
         ]
     )
-    markdown_attrs['*'] = markdown_attrs['*'] + ['class', 'width', 'height']
+    markdown_attrs = {
+        "*": ["id", "class", 'width', 'height'],
+        "img": ["src", "alt", "title"],
+        "a": ["href", "alt", "title"],
+    }
 
     instructions = bleach.clean(parsed_md, tags, markdown_attrs)
 

cookbook/templatetags/custom_tags.py

@@ -5,7 +5,6 @@ import bleach
 import markdown as md
 from django_scopes import ScopeError
 from markdown.extensions.tables import TableExtension
-from bleach_allowlist import markdown_attrs, markdown_tags
 from django import template
 from django.db.models import Avg
 from django.templatetags.static import static
@@ -46,9 +45,17 @@ def delete_url(model, pk):
 
 @register.filter()
 def markdown(value):
-    tags = markdown_tags + [
+    tags = {
+        "h1", "h2", "h3", "h4", "h5", "h6",
+        "b", "i", "strong", "em", "tt",
+        "p", "br",
+        "span", "div", "blockquote", "code", "pre", "hr",
+        "ul", "ol", "li", "dd", "dt",
+        "img",
+        "a",
+        "sub", "sup",
         'pre', 'table', 'td', 'tr', 'th', 'tbody', 'style', 'thead'
-    ]
+    }
     parsed_md = md.markdown(
         value,
         extensions=[
@@ -56,7 +63,12 @@ def markdown(value):
             UrlizeExtension(), MarkdownFormatExtension()
         ]
     )
-    markdown_attrs['*'] = markdown_attrs['*'] + ['class']
+    markdown_attrs = {
+        "*": ["id", "class"],
+        "img": ["src", "alt", "title"],
+        "a": ["href", "alt", "title"],
+    }
+
     parsed_md = parsed_md[3:] # remove outer paragraph
     parsed_md = parsed_md[:len(parsed_md)-4]
     return bleach.clean(parsed_md, tags, markdown_attrs)

requirements.txt

@@ -10,7 +10,6 @@ drf-writable-nested==0.7.0
 django-oauth-toolkit==2.2.0
 django-debug-toolbar==3.8.1
 bleach==6.0.0
-bleach-allowlist==1.0.3
 gunicorn==20.1.0
 lxml==4.9.3
 Markdown==3.4.3