Added html validation for users and personal notes
This commit is contained in:
parent
d248f5fbc1
commit
c54e2621f2
@ -9,6 +9,7 @@ from ..utils.rest_api import (
|
|||||||
RelatedField,
|
RelatedField,
|
||||||
ValidationError,
|
ValidationError,
|
||||||
)
|
)
|
||||||
|
from ..utils.validate import validate_html
|
||||||
from .models import Group, PersonalNote, User
|
from .models import Group, PersonalNote, User
|
||||||
|
|
||||||
|
|
||||||
@ -90,6 +91,11 @@ class UserFullSerializer(ModelSerializer):
|
|||||||
data["username"] = User.objects.generate_username(
|
data["username"] = User.objects.generate_username(
|
||||||
data.get("first_name", ""), data.get("last_name", "")
|
data.get("first_name", ""), data.get("last_name", "")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# check the about_me html
|
||||||
|
if "about_me" in data:
|
||||||
|
data["about_me"] = validate_html(data["about_me"])
|
||||||
|
|
||||||
return data
|
return data
|
||||||
|
|
||||||
def prepare_password(self, validated_data):
|
def prepare_password(self, validated_data):
|
||||||
|
@ -42,6 +42,7 @@ from ..utils.rest_api import (
|
|||||||
list_route,
|
list_route,
|
||||||
status,
|
status,
|
||||||
)
|
)
|
||||||
|
from ..utils.validate import validate_json
|
||||||
from ..utils.views import APIView
|
from ..utils.views import APIView
|
||||||
from .access_permissions import (
|
from .access_permissions import (
|
||||||
GroupAccessPermissions,
|
GroupAccessPermissions,
|
||||||
@ -688,7 +689,8 @@ class PersonalNoteViewSet(ModelViewSet):
|
|||||||
for data in request.data:
|
for data in request.data:
|
||||||
if data["collection"] not in personal_note.notes:
|
if data["collection"] not in personal_note.notes:
|
||||||
personal_note.notes[data["collection"]] = {}
|
personal_note.notes[data["collection"]] = {}
|
||||||
personal_note.notes[data["collection"]][data["id"]] = data["content"]
|
content = validate_json(data["content"], 2)
|
||||||
|
personal_note.notes[data["collection"]][data["id"]] = content
|
||||||
|
|
||||||
personal_note.save()
|
personal_note.save()
|
||||||
return Response()
|
return Response()
|
||||||
|
@ -1,5 +1,9 @@
|
|||||||
|
from typing import Any
|
||||||
|
|
||||||
import bleach
|
import bleach
|
||||||
|
|
||||||
|
from .rest_api import ValidationError
|
||||||
|
|
||||||
|
|
||||||
allowed_tags = [
|
allowed_tags = [
|
||||||
"a",
|
"a",
|
||||||
@ -63,3 +67,25 @@ def validate_html(html: str) -> str:
|
|||||||
return bleach.clean(
|
return bleach.clean(
|
||||||
html, tags=allowed_tags, attributes=allowed_attributes, styles=allowed_styles
|
html, tags=allowed_tags, attributes=allowed_attributes, styles=allowed_styles
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def validate_json(json: Any, max_depth: int) -> Any:
|
||||||
|
"""
|
||||||
|
Traverses through the JSON structure (dicts and lists) and runs
|
||||||
|
validate_html on every found string.
|
||||||
|
|
||||||
|
Give max-depth to protect against stack-overflows. This should be the
|
||||||
|
maximum nested depth of the object expected.
|
||||||
|
"""
|
||||||
|
|
||||||
|
if max_depth == 0:
|
||||||
|
raise ValidationError({"detail": "The JSON is too nested."})
|
||||||
|
|
||||||
|
if isinstance(json, dict):
|
||||||
|
return {key: validate_json(value, max_depth - 1) for key, value in json.items()}
|
||||||
|
if isinstance(json, list):
|
||||||
|
return [validate_json(item, max_depth - 1) for item in json]
|
||||||
|
if isinstance(json, str):
|
||||||
|
return validate_html(json)
|
||||||
|
|
||||||
|
return json
|
||||||
|
@ -124,6 +124,20 @@ class UserCreate(TestCase):
|
|||||||
{"groups_id": ['Invalid pk "%d" - object does not exist.' % group_pk]},
|
{"groups_id": ['Invalid pk "%d" - object does not exist.' % group_pk]},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_clean_html(self):
|
||||||
|
self.client.login(username="admin", password="admin")
|
||||||
|
response = self.client.post(
|
||||||
|
reverse("user-list"),
|
||||||
|
{
|
||||||
|
"username": "test_name_Thimoo2ho7ahreighio3",
|
||||||
|
"about_me": "<p><foo>bar</foo></p>",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
|
||||||
|
user = User.objects.get(username="test_name_Thimoo2ho7ahreighio3")
|
||||||
|
self.assertEqual(user.about_me, "<p><foo>bar</foo></p>")
|
||||||
|
|
||||||
|
|
||||||
class UserUpdate(TestCase):
|
class UserUpdate(TestCase):
|
||||||
"""
|
"""
|
||||||
@ -913,6 +927,44 @@ class PersonalNoteTest(TestCase):
|
|||||||
"test_note_do2ncoi7ci2fm93LjwlO",
|
"test_note_do2ncoi7ci2fm93LjwlO",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_clean_html(self):
|
||||||
|
admin_client = APIClient()
|
||||||
|
admin_client.login(username="admin", password="admin")
|
||||||
|
response = admin_client.post(
|
||||||
|
reverse("personalnote-create-or-update"),
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"collection": "test_collection",
|
||||||
|
"id": 1,
|
||||||
|
"content": {"note": "<p><foo>bar</foo></p>", "star": False},
|
||||||
|
}
|
||||||
|
],
|
||||||
|
format="json",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
personal_note = PersonalNote.objects.get()
|
||||||
|
self.assertEqual(
|
||||||
|
personal_note.notes["test_collection"]["1"],
|
||||||
|
{"note": "<p><foo>bar</foo></p>", "star": False},
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_clean_html_content_too_nested(self):
|
||||||
|
admin_client = APIClient()
|
||||||
|
admin_client.login(username="admin", password="admin")
|
||||||
|
response = admin_client.post(
|
||||||
|
reverse("personalnote-create-or-update"),
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"collection": "test_collection",
|
||||||
|
"id": 1,
|
||||||
|
"content": [{"some:key": ["<p><foo>bar</foo></p>"]}, 3],
|
||||||
|
}
|
||||||
|
],
|
||||||
|
format="json",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||||
|
self.assertFalse(PersonalNote.objects.exists())
|
||||||
|
|
||||||
def test_delete_other_user(self):
|
def test_delete_other_user(self):
|
||||||
user = User.objects.create(username="user")
|
user = User.objects.create(username="user")
|
||||||
admin_client = APIClient()
|
admin_client = APIClient()
|
||||||
|
Loading…
Reference in New Issue
Block a user