OpenSlides/openslides/utils/validate.py

from typing import Any

import bleach

from .rest_api import ValidationError


allowed_tags = [
    "a",
    "img",  # links and images
    "br",
    "p",
    "span",
    "blockquote",  # text layout
    "strike",
    "del",
    "ins",
    "strong",
    "u",
    "em",
    "sup",
    "sub",
    "pre",  # text formatting
    "h1",
    "h2",
    "h3",
    "h4",
    "h5",
    "h6",  # headings
    "ol",
    "ul",
    "li",  # lists
    "table",
    "caption",
    "thead",
    "tbody",
    "th",
    "tr",
    "td",  # tables
]
allowed_attributes = {
    "*": ["class", "style"],
    "img": ["alt", "src", "title"],
    "a": ["href", "title"],
    "th": ["scope"],
    "ol": ["start"],
}
allowed_styles = [
    "color",
    "background-color",
    "height",
    "width",
    "text-align",
    "float",
    "padding",
    "text-decoration",
]


def validate_html(html: str) -> str:
    """
    This method takes a string and escapes all non-whitelisted html entries.
    Every field of a model that is loaded trusted in the DOM should be validated.
    During copy and paste from Word maybe some tabs are spread over the html. Remove them.
    """
    html = html.replace("\t", "")
    return bleach.clean(
        html, tags=allowed_tags, attributes=allowed_attributes, styles=allowed_styles
    )


def validate_json(json: Any, max_depth: int) -> Any:
    """
    Traverses through the JSON structure (dicts and lists) and runs
    validate_html on every found string.

    Give max-depth to protect against stack-overflows. This should be the
    maximum nested depth of the object expected.
    """

    if max_depth == 0:
        raise ValidationError({"detail": "The JSON is too nested."})

    if isinstance(json, dict):
        return {key: validate_json(value, max_depth - 1) for key, value in json.items()}
    if isinstance(json, list):
        return [validate_json(item, max_depth - 1) for item in json]
    if isinstance(json, str):
        return validate_html(json)

    return json
Added html validation for users and personal notes 2019-11-06 15:55:03 +01:00			`from typing import Any`

Prevent XSS-attacks (fixes #2871) 2017-01-20 11:34:05 +01:00			`import bleach`

Added html validation for users and personal notes 2019-11-06 15:55:03 +01:00			`from .rest_api import ValidationError`

Update to channels 2 * geis does not work with channels2 and never will be (it has to be python now) * pytest * rewrote cache system * use username instead of pk for admin user in tests 2018-07-09 23:22:26 +02:00
Prevent XSS-attacks (fixes #2871) 2017-01-20 11:34:05 +01:00			`allowed_tags = [`
Run black 2019-01-06 16:22:33 +01:00			`"a",`
			`"img", # links and images`
			`"br",`
			`"p",`
			`"span",`
			`"blockquote", # text layout`
			`"strike",`
Allow <del> and <ins> html tags. 2019-09-24 12:53:15 +02:00			`"del",`
			`"ins",`
Run black 2019-01-06 16:22:33 +01:00			`"strong",`
			`"u",`
			`"em",`
			`"sup",`
			`"sub",`
			`"pre", # text formatting`
			`"h1",`
			`"h2",`
			`"h3",`
			`"h4",`
			`"h5",`
			`"h6", # headings`
			`"ol",`
			`"ul",`
			`"li", # lists`
			`"table",`
			`"caption",`
			`"thead",`
			`"tbody",`
			`"th",`
			`"tr",`
			`"td", # tables`
Prevent XSS-attacks (fixes #2871) 2017-01-20 11:34:05 +01:00			`]`
			`allowed_attributes = {`
Run black 2019-01-06 16:22:33 +01:00			`"*": ["class", "style"],`
			`"img": ["alt", "src", "title"],`
			`"a": ["href", "title"],`
			`"th": ["scope"],`
			`"ol": ["start"],`
Prevent XSS-attacks (fixes #2871) 2017-01-20 11:34:05 +01:00			`}`
			`allowed_styles = [`
Run black 2019-01-06 16:22:33 +01:00			`"color",`
			`"background-color",`
			`"height",`
			`"width",`
			`"text-align",`
			`"float",`
			`"padding",`
Add text-decoration to bleach whitelist, fix tinymce toolbar 2019-03-08 10:00:26 +01:00			`"text-decoration",`
Prevent XSS-attacks (fixes #2871) 2017-01-20 11:34:05 +01:00			`]`


more typings 2017-08-24 12:26:55 +02:00			`def validate_html(html: str) -> str:`
Prevent XSS-attacks (fixes #2871) 2017-01-20 11:34:05 +01:00			`"""`
			`This method takes a string and escapes all non-whitelisted html entries.`
			`Every field of a model that is loaded trusted in the DOM should be validated.`
fixed indentions and wrong line breaks in pdf, remove every tab in html (fixes #3678) 2018-03-24 08:08:21 +01:00			`During copy and paste from Word maybe some tabs are spread over the html. Remove them.`
Prevent XSS-attacks (fixes #2871) 2017-01-20 11:34:05 +01:00			`"""`
Run black 2019-01-06 16:22:33 +01:00			`html = html.replace("\t", "")`
more typings 2017-08-24 12:26:55 +02:00			`return bleach.clean(`
Run black 2019-01-06 16:22:33 +01:00			`html, tags=allowed_tags, attributes=allowed_attributes, styles=allowed_styles`
			`)`
Added html validation for users and personal notes 2019-11-06 15:55:03 +01:00

			`def validate_json(json: Any, max_depth: int) -> Any:`
			`"""`
			`Traverses through the JSON structure (dicts and lists) and runs`
			`validate_html on every found string.`

			`Give max-depth to protect against stack-overflows. This should be the`
			`maximum nested depth of the object expected.`
			`"""`

			`if max_depth == 0:`
			`raise ValidationError({"detail": "The JSON is too nested."})`

			`if isinstance(json, dict):`
			`return {key: validate_json(value, max_depth - 1) for key, value in json.items()}`
			`if isinstance(json, list):`
			`return [validate_json(item, max_depth - 1) for item in json]`
			`if isinstance(json, str):`
			`return validate_html(json)`

			`return json`