bleach_tags.py 2.23 KB
Newer Older
1
from __future__ import absolute_import, print_function, unicode_literals
2
3
4
5
6
7
8
9
10

from bleach import clean
from django import template
from django.template.defaultfilters import stringfilter
from django.utils.safestring import mark_safe

register = template.Library()


11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
def _allow_attributes(tag, name, value):
    if name in ('class', ):
        return True
    elif tag == 'a' and name in ('href', 'rel', 'target', 'title'):
        return True
    elif tag == 'img' and name in ('alt', 'title', 'src'):
        return True
    elif tag == 'iframe' and name in (
            'width', 'height', 'frameborder', 'allowfullscreen'):
        return True
    elif tag == 'iframe' and name == 'src':
        if (value.startswith('https://www.youtube.com/embed/') or
                value.startswith('https://www.youtube-nocookie.com/embed/')):
            return True
        else:
            return False

    return False


31
32
33
@register.filter(is_safe=True)
@stringfilter
def bleach(value):
34
35
36
37
    """Bleach dangerous html from the input

    Examples::

Thom Wiggers's avatar
Thom Wiggers committed
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
        >>> bleach('<script></script>')
        ''
        >>> bleach('simple')
        'simple'
        >>> bleach('<a href="http://example.com/">ex</a>')
        '<a href="http://example.com/">ex</a>'
        >>> bleach('<div class="bla"></div>')
        '<div class="bla"></div>'
        >>> bleach('<img src="https://i.redd.it/22kypw2l93gz.jpg" alt="bees">')
        '<img alt="bees" src="https://i.redd.it/22kypw2l93gz.jpg">'
        >>> bleach('<iframe width="560" height="315" '
        ... 'src="https://www.youtube.com/embed/dQw4w9WgXcQ?rel=0" '
        ... 'frameborder="0" allowfullscreen></iframe>') == (
        ...     '<iframe allowfullscreen="" frameborder="0" height="315" '
        ...     'src="https://www.youtube.com/embed/dQw4w9WgXcQ?rel=0" '
        ...     'width="560"></iframe>')
        True
        >>> bleach('<iframe src="https://clearlyreta.rded.nl/ivo/"></iframe>')
        '<iframe></iframe>'
57
    """
58
59
60
61

    return mark_safe(
        clean(
            value,
62
63
64
65
66
67
            tags=(
                'h2', 'h3', 'p', 'a', 'div',
                'strong', 'em', 'i', 'b', 'ul', 'li', 'br', 'ol',
                'iframe', 'img'
            ),
            attributes=_allow_attributes,
68
69
70
            strip=True
        )
    )