Don't filter youtube embeds with bleach

Allows to embed youtube videos in various places, including partner pages. Fixes #468

Don't filter youtube embeds with bleach
Allows to embed youtube videos in various places, including partner pages. Fixes #468
7d945fda · Thom Wiggers · 8d46accf · 7d945fda · 7d945fda
Unverified Commit 7d945fda authored Aug 16, 2017 by Thom Wiggers 📐
--- a/website/thaliawebsite/templatetags/bleach_tags.py
+++ b/website/thaliawebsite/templatetags/bleach_tags.py
@@ -8,21 +8,63 @@ from django.utils.safestring import mark_safe
 register = template.Library()


+def _allow_attributes(tag, name, value):
+    if name in ('class', ):
+        return True
+    elif tag == 'a' and name in ('href', 'rel', 'target', 'title'):
+        return True
+    elif tag == 'img' and name in ('alt', 'title', 'src'):
+        return True
+    elif tag == 'iframe' and name in (
+            'width', 'height', 'frameborder', 'allowfullscreen'):
+        return True
+    elif tag == 'iframe' and name == 'src':
+        if (value.startswith('https://www.youtube.com/embed/') or
+                value.startswith('https://www.youtube-nocookie.com/embed/')):
+            return True
+        else:
+            return False
+
+    return False
+
+
 @register.filter(is_safe=True)
 @stringfilter
 def bleach(value):
-    """Bleach dangerous html from the input"""
+    """Bleach dangerous html from the input
+
+    Examples::
+
+    >>> bleach('<script></script>')
+    ''
+    >>> bleach('simple')
+    'simple'
+    >>> bleach('<a href="http://example.com/">ex</a>')
+    '<a href="http://example.com/">ex</a>'
+    >>> bleach('<div class="bla"></div>')
+    '<div class="bla"></div>'
+    >>> bleach('<img src="https://i.redd.it/22kypw2l93gz.jpg" alt="bees">')
+    '<img alt="bees" src="https://i.redd.it/22kypw2l93gz.jpg">'
+    >>> bleach('<iframe width="560" height="315" '
+    ... 'src="https://www.youtube.com/embed/dQw4w9WgXcQ?rel=0" '
+    ... 'frameborder="0" allowfullscreen></iframe>') == (
+    ...     '<iframe allowfullscreen="" frameborder="0" height="315" '
+    ...     'src="https://www.youtube.com/embed/dQw4w9WgXcQ?rel=0" '
+    ...     'width="560"></iframe>')
+    True
+    >>> bleach('<iframe src="https://clearlyreta.rded.nl/ivo/"></iframe>')
+    '<iframe></iframe>'
+    """

    return mark_safe(
        clean(
            value,
-            tags=['h2', 'h3', 'p', 'a', 'div',
-                  'strong', 'em', 'i', 'b', 'ul', 'li', 'br', 'ol'],
-            attributes={
-                '*': ['class'],
-                'a': ['href', 'rel', 'target', 'title'],
-                'img': ['alt', 'title'],
-            },
+            tags=(
+                'h2', 'h3', 'p', 'a', 'div',
+                'strong', 'em', 'i', 'b', 'ul', 'li', 'br', 'ol',
+                'iframe', 'img'
+            ),
+            attributes=_allow_attributes,
            strip=True
        )
    )
--- a/website/thaliawebsite/tests.py
+++ b/website/thaliawebsite/tests.py
+import doctest
+
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Permission
 from django.test import TestCase, override_settings

+from thaliawebsite.templatetags import bleach_tags
+
+
+def load_tests(loader, tests, ignore):
+    """
+    Load all tests in this module
+    """
+    # Adds the doctests in bleach_tags
+    tests.addTests(doctest.DocTestSuite(bleach_tags))
+    return tests
+

 class WikiLoginTestCase(TestCase):
    """Tests event registrations"""