Use belach or nh3 for cleaning html (fix for #2874)

This commit is contained in:
Ozzie Isaacs 2023-11-09 17:45:22 +01:00
parent bd71391bfb
commit f78e0ff938

18
cps/editbooks.py Executable file → Normal file
View File

@ -29,9 +29,18 @@ from markupsafe import escape, Markup # dependency of flask
from functools import wraps from functools import wraps
try: try:
from lxml.html.clean import clean_html, Cleaner from bleach import clean_text as clean_html
BLEACH = True
except ImportError: except ImportError:
clean_html = None try:
from nh3 import clean as clean_html
BLEACH = False
except ImportError:
try:
from lxml.html.clean import clean_html
BLEACH = False
except ImportError:
clean_html = None
from flask import Blueprint, request, flash, redirect, url_for, abort, Response from flask import Blueprint, request, flash, redirect, url_for, abort, Response
from flask_babel import gettext as _ from flask_babel import gettext as _
@ -992,7 +1001,10 @@ def edit_book_series_index(series_index, book):
def edit_book_comments(comments, book): def edit_book_comments(comments, book):
modify_date = False modify_date = False
if comments: if comments:
comments = clean_html(comments) if BLEACH:
comments = clean_html(comments, tags=None, attributes=None)
else:
comments = clean_html(comments)
if len(book.comments): if len(book.comments):
if book.comments[0].text != comments: if book.comments[0].text != comments:
book.comments[0].text = comments book.comments[0].text = comments