Skip to content

Commit

Permalink
sanitize with bleach
Browse files Browse the repository at this point in the history
  • Loading branch information
glenn-sorrentino committed Nov 11, 2024
1 parent 6f1b740 commit 779f257
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 6 deletions.
14 changes: 9 additions & 5 deletions hushline/settings/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
from typing import Optional

import aiohttp
import bleach
import pyotp
import qrcode
import requests
Expand Down Expand Up @@ -811,15 +812,18 @@ async def alias(username_id: int) -> Response | str:
profile_form=profile_form,
)


@bp.route("/update-directory-intro", methods=["POST"])
@admin_authentication_required
def update_directory_intro_text() -> Response:
form = UpdateDirectoryIntroTextForm()
intro_text = form.directory_intro_text.data

if intro_text.strip() == "":
flash("❌ Failed to update introduction text. Please check your input.", "error")
elif form.validate_on_submit():
if form.validate_on_submit():
intro_text = bleach.clean(
form.directory_intro_text.data,
tags=["b", "i", "u", "em", "strong", "a"],
attributes={"a": ["href", "title"]},
strip=True
)
OrganizationSetting.upsert(key=OrganizationSetting.DIRECTORY_INTRO, value=intro_text)
db.session.commit()
flash("✅ Directory introduction text updated successfully.", "success")
Expand Down
2 changes: 1 addition & 1 deletion hushline/templates/directory.html
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
content %}
<h2>User Directory</h2>
{% if intro_text %}
<p class="helper section-intro">{{ intro_text }}</p>
<p class="helper section-intro">{{ intro_text | safe }}</p>
{% endif %}
<div class="directory-tabs">
<ul class="tab-list" role="tablist">
Expand Down

0 comments on commit 779f257

Please sign in to comment.