Merge branch 'fix/bleach-text-decoration' into 'master'

Allow span with text-decoration by bleach

Closes #564

See merge request !707

website/thaliawebsite/templatetags/bleach_tags.py

@@ -8,22 +8,12 @@ from django.utils.safestring import mark_safe
 register = template.Library()
 
 
-def _allow_attributes(tag, name, value):
-    if name in ('class', ):
-        return True
-    elif tag == 'a' and name in ('href', 'rel', 'target', 'title'):
-        return True
-    elif tag == 'img' and name in ('alt', 'title', 'src'):
-        return True
-    elif tag == 'iframe' and name in (
-            'width', 'height', 'frameborder', 'allowfullscreen'):
+def _allow_iframe_attrs(tag, name, value):
+    if name in ('class', 'width', 'height', 'frameborder', 'allowfullscreen'):
         return True
     elif tag == 'iframe' and name == 'src':
-        if (value.startswith('https://www.youtube.com/embed/') or
-                value.startswith('https://www.youtube-nocookie.com/embed/')):
-            return True
-        else:
-            return False
+        return (value.startswith('https://www.youtube.com/embed/') or
+                value.startswith('https://www.youtube-nocookie.com/embed/'))
 
     return False
 
@@ -59,12 +49,18 @@ def bleach(value):
     return mark_safe(
         clean(
             value,
-            tags=(
+            tags=[
                 'h2', 'h3', 'p', 'a', 'div',
                 'strong', 'em', 'i', 'b', 'ul', 'li', 'br', 'ol',
-                'iframe', 'img'
-            ),
-            attributes=_allow_attributes,
+                'iframe', 'img', 'span',
+            ],
+            attributes={
+                '*': ['class', 'style'],
+                'iframe': _allow_iframe_attrs,
+                'a': ['href', 'rel', 'target', 'title'],
+                'img': ['alt', 'title', 'src'],
+            },
+            styles=['text-decoration'],
             strip=True
         )
     )