removed dependency and upgraded bleach clean

2023-08-16 07:22:09 +02:00 · 2023-08-16 07:22:09 +02:00 · 1ecb57e795
commit 1ecb57e795
parent c4a0df26fc
3 changed files with 32 additions and 10 deletions
--- a/cookbook/helper/template_helper.py
+++ b/cookbook/helper/template_helper.py
@ -2,7 +2,6 @@ from gettext import gettext as _

 import bleach
 import markdown as md
-from bleach_allowlist import markdown_attrs, markdown_tags
 from jinja2 import Template, TemplateSyntaxError, UndefinedError
 from markdown.extensions.tables import TableExtension

@ -53,9 +52,17 @@ class IngredientObject(object):
 def render_instructions(step):  # TODO deduplicate markdown cleanup code
    instructions = step.instruction

-    tags = markdown_tags + [
-        'pre', 'table', 'td', 'tr', 'th', 'tbody', 'style', 'thead', 'img'
-    ]
+    tags = {
+        "h1", "h2", "h3", "h4", "h5", "h6",
+        "b", "i", "strong", "em", "tt",
+        "p", "br",
+        "span", "div", "blockquote", "code", "pre", "hr",
+        "ul", "ol", "li", "dd", "dt",
+        "img",
+        "a",
+        "sub", "sup",
+        'pre', 'table', 'td', 'tr', 'th', 'tbody', 'style', 'thead'
+    }
    parsed_md = md.markdown(
        instructions,
        extensions=[
@ -63,7 +70,11 @@ def render_instructions(step):  # TODO deduplicate markdown cleanup code
            UrlizeExtension(), MarkdownFormatExtension()
        ]
    )
-    markdown_attrs['*'] = markdown_attrs['*'] + ['class', 'width', 'height']
+    markdown_attrs = {
+        "*": ["id", "class", 'width', 'height'],
+        "img": ["src", "alt", "title"],
+        "a": ["href", "alt", "title"],
+    }

    instructions = bleach.clean(parsed_md, tags, markdown_attrs)

--- a/cookbook/templatetags/custom_tags.py
+++ b/cookbook/templatetags/custom_tags.py
@ -5,7 +5,6 @@ import bleach
 import markdown as md
 from django_scopes import ScopeError
 from markdown.extensions.tables import TableExtension
-from bleach_allowlist import markdown_attrs, markdown_tags
 from django import template
 from django.db.models import Avg
 from django.templatetags.static import static
@ -46,9 +45,17 @@ def delete_url(model, pk):

@register.filter()
 def markdown(value):
-    tags = markdown_tags + [
+    tags = {
+        "h1", "h2", "h3", "h4", "h5", "h6",
+        "b", "i", "strong", "em", "tt",
+        "p", "br",
+        "span", "div", "blockquote", "code", "pre", "hr",
+        "ul", "ol", "li", "dd", "dt",
+        "img",
+        "a",
+        "sub", "sup",
        'pre', 'table', 'td', 'tr', 'th', 'tbody', 'style', 'thead'
-    ]
+    }
    parsed_md = md.markdown(
        value,
        extensions=[
@ -56,7 +63,12 @@ def markdown(value):
            UrlizeExtension(), MarkdownFormatExtension()
        ]
    )
-    markdown_attrs['*'] = markdown_attrs['*'] + ['class']
+    markdown_attrs = {
+        "*": ["id", "class"],
+        "img": ["src", "alt", "title"],
+        "a": ["href", "alt", "title"],
+    }
+
    parsed_md = parsed_md[3:] # remove outer paragraph
    parsed_md = parsed_md[:len(parsed_md)-4]
    return bleach.clean(parsed_md, tags, markdown_attrs)
--- a/requirements.txt
+++ b/requirements.txt
@ -10,7 +10,6 @@ drf-writable-nested==0.7.0
 django-oauth-toolkit==2.2.0
 django-debug-toolbar==3.8.1
 bleach==6.0.0
-bleach-allowlist==1.0.3
 gunicorn==20.1.0
 lxml==4.9.3
 Markdown==3.4.3