From e6f27795e294e1f6b6b977b49bfa3da36955b763 Mon Sep 17 00:00:00 2001 From: Christian Lawson-Perfect Date: Tue, 23 Aug 2022 12:31:32 +0100 Subject: [PATCH 1/5] Django 4.0 compatibility: smart_str In django 4.0, django.utils.encoding.smart_text is removed; it's now known as smart_str. It was deprecated in django 3.0: https://docs.djangoproject.com/en/4.1/releases/3.0/#django-utils-encoding-force-text-and-smart-text --- sanitizer/models.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sanitizer/models.py b/sanitizer/models.py index afc2590..10e7974 100644 --- a/sanitizer/models.py +++ b/sanitizer/models.py @@ -3,7 +3,10 @@ import sys if sys.version_info[0] == 3: - from django.utils.encoding import smart_text as smart_unicode + try: + from django.utils.encoding import smart_str as smart_unicode + except ImportError: + from django.utils.encoding import smart_text as smart_unicode else: from django.utils.encoding import smart_unicode From 10cfd63b5884d8bd415d8bcaf808f2a7dad775fe Mon Sep 17 00:00:00 2001 From: Christian Lawson-Perfect Date: Thu, 10 Apr 2025 14:05:16 +0100 Subject: [PATCH 2/5] upgrade for bleach 6 Apparently starting in version 5, bleach.clean doesn't take a 'styles' kwarg. There's no mention of it in the change log or the documentation, so I have no idea whether it ever tried to sanitize styles at all. --- sanitizer/decorators.py | 3 +-- sanitizer/templatetags/sanitizer.py | 28 ++++++++++++---------------- setup.py | 2 +- 3 files changed, 14 insertions(+), 19 deletions(-) diff --git a/sanitizer/decorators.py b/sanitizer/decorators.py index cf39398..829a36a 100644 --- a/sanitizer/decorators.py +++ b/sanitizer/decorators.py @@ -16,12 +16,11 @@ class sanitize(object): def __init__(self, tags=bleach.ALLOWED_TAGS, - attributes=bleach.ALLOWED_ATTRIBUTES, styles=[], strip=False, + attributes=bleach.ALLOWED_ATTRIBUTES, strip=False, strip_comments=True): self.kwargs = { 'tags': tags, 'attributes': attributes, - 'styles': styles, 'strip': strip, 'strip_comments': strip_comments, } diff --git a/sanitizer/templatetags/sanitizer.py b/sanitizer/templatetags/sanitizer.py index c68a091..2fea1ec 100644 --- a/sanitizer/templatetags/sanitizer.py +++ b/sanitizer/templatetags/sanitizer.py @@ -11,7 +11,6 @@ ALLOWED_TAGS = getattr(settings, 'SANITIZER_ALLOWED_TAGS', []) ALLOWED_ATTRIBUTES = getattr(settings, 'SANITIZER_ALLOWED_ATTRIBUTES', []) -ALLOWED_STYLES = getattr(settings, 'SANITIZER_ALLOWED_STYLES', []) register = template.Library() @@ -19,8 +18,8 @@ @stringfilter def sanitize(value): ''' - Sanitizes strings according to SANITIZER_ALLOWED_TAGS, - SANITIZER_ALLOWED_ATTRIBUTES and SANITIZER_ALLOWED_STYLES variables in + Sanitizes strings according to SANITIZER_ALLOWED_TAGS and + SANITIZER_ALLOWED_ATTRIBUTES variables in settings. Example usage: @@ -32,7 +31,7 @@ def sanitize(value): if isinstance(value, basestring): value = bleach.clean(value, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES, - styles=ALLOWED_STYLES, strip=False) + strip=False) return value register.filter('escape_html', sanitize) @@ -41,8 +40,8 @@ def sanitize(value): @stringfilter def strip_filter(value): ''' - Strips HTML tags from strings according to SANITIZER_ALLOWED_TAGS, - SANITIZER_ALLOWED_ATTRIBUTES and SANITIZER_ALLOWED_STYLES variables in + Strips HTML tags from strings according to SANITIZER_ALLOWED_TAGS + and SANITIZER_ALLOWED_ATTRIBUTES variables in settings. Example usage: @@ -54,7 +53,7 @@ def strip_filter(value): if isinstance(value, basestring): value = bleach.clean(value, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES, - styles=ALLOWED_STYLES, strip=True) + strip=True) return value register.filter('strip_html', strip_filter) @@ -72,7 +71,6 @@ def sanitize_allow(value, args=''): if isinstance(value, basestring): allowed_tags = [] allowed_attributes = [] - allowed_styles = [] args = args.strip().split(';') if len(args) > 0: @@ -88,11 +86,10 @@ def sanitize_allow(value, args=''): @register.simple_tag -def escape_html(value, allowed_tags=[], allowed_attributes=[], - allowed_styles=[]): +def escape_html(value, allowed_tags=[], allowed_attributes=[]): """ Template tag to sanitize string values. It accepts lists of - allowed tags, attributes or styles in comma separated string or list format. + allowed tags or attributes in comma separated string or list format. For example: @@ -111,16 +108,15 @@ def escape_html(value, allowed_tags=[], allowed_attributes=[], if isinstance(value, basestring): value = bleach.clean(value, tags=allowed_tags, attributes=allowed_attributes, - styles=allowed_styles, strip=False) + strip=False) return value @register.simple_tag -def strip_html(value, allowed_tags=[], allowed_attributes=[], - allowed_styles=[]): +def strip_html(value, allowed_tags=[], allowed_attributes=[]): """ Template tag to strip html from string values. It accepts lists of - allowed tags, attributes or stylesin comma separated string or list format. + allowed tags or attributes in comma separated string or list format. For example: @@ -139,5 +135,5 @@ def strip_html(value, allowed_tags=[], allowed_attributes=[], if isinstance(value, basestring): value = bleach.clean(value, tags=allowed_tags, attributes=allowed_attributes, - styles=allowed_styles, strip=True) + strip=True) return value diff --git a/setup.py b/setup.py index cd64ff6..e8d3322 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ long_description=open('README.rst').read(), zip_safe=False, include_package_data=True, - install_requires=['django', 'bleach'], + install_requires=['django', 'bleach~=6'], classifiers=[ 'Development Status :: 4 - Beta', 'Environment :: Web Environment', From ef6ef3881c0b9f3c6b340eec7165602fa061a023 Mon Sep 17 00:00:00 2001 From: Christian Lawson-Perfect Date: Thu, 17 Apr 2025 15:17:25 +0100 Subject: [PATCH 3/5] fix the install_requires string --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index e8d3322..796b9cd 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ long_description=open('README.rst').read(), zip_safe=False, include_package_data=True, - install_requires=['django', 'bleach~=6'], + install_requires=['django', 'bleach>=6'], classifiers=[ 'Development Status :: 4 - Beta', 'Environment :: Web Environment', From 6afcf5760fd361650550d8996de0e5ad0a8527e5 Mon Sep 17 00:00:00 2001 From: Christian Lawson-Perfect Date: Thu, 17 Apr 2025 15:33:15 +0100 Subject: [PATCH 4/5] bump versoin: 0.1.6 --- sanitizer/__init__.py | 2 +- setup.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sanitizer/__init__.py b/sanitizer/__init__.py index 85bd8ef..6fa58f0 100644 --- a/sanitizer/__init__.py +++ b/sanitizer/__init__.py @@ -1,3 +1,3 @@ -VERSION = (0, 1, 4) +VERSION = (0, 1, 6) from .decorators import sanitize diff --git a/setup.py b/setup.py index 796b9cd..04fda26 100644 --- a/setup.py +++ b/setup.py @@ -4,7 +4,7 @@ setup( name='django-html_sanitizer', - version='0.1.5', + version='0.1.6', author='Selwin Ong', author_email='selwin.ong@gmail.com', packages=['sanitizer'], From 1458b5b7d354f4ee5f4908720d548931a953adc9 Mon Sep 17 00:00:00 2001 From: Christian Lawson-Perfect Date: Tue, 22 Apr 2025 15:42:18 +0100 Subject: [PATCH 5/5] remove the remaining references to styles --- sanitizer/forms.py | 5 ++--- sanitizer/models.py | 12 +++++------- sanitizer/tests.py | 15 +++++++-------- setup.py | 2 +- 4 files changed, 15 insertions(+), 19 deletions(-) diff --git a/sanitizer/forms.py b/sanitizer/forms.py index 9936dd6..d81b88e 100644 --- a/sanitizer/forms.py +++ b/sanitizer/forms.py @@ -8,10 +8,9 @@ class SanitizedCharField(forms.CharField): A subclass of CharField that escapes (or strip) HTML tags and attributes. """ def __init__(self, allowed_tags=[], allowed_attributes=[], - allowed_styles=[], strip=False, *args, **kwargs): + strip=False, *args, **kwargs): self._allowed_tags = allowed_tags self._allowed_attributes = allowed_attributes - self._allowed_styles = allowed_styles self._strip = strip super(SanitizedCharField, self).__init__(*args, **kwargs) @@ -19,4 +18,4 @@ def clean(self, value): value = super(SanitizedCharField, self).clean(value) return bleach.clean(value, tags=self._allowed_tags, attributes=self._allowed_attributes, - styles=self._allowed_styles, strip=self._strip) + strip=self._strip) diff --git a/sanitizer/models.py b/sanitizer/models.py index 10e7974..1694a15 100644 --- a/sanitizer/models.py +++ b/sanitizer/models.py @@ -16,11 +16,10 @@ class SanitizedCharField(models.CharField): def __init__(self, allowed_tags=[], allowed_attributes=[], - allowed_styles=[], strip=False, + strip=False, *args, **kwargs): self._sanitizer_allowed_tags = allowed_tags self._sanitizer_allowed_attributes = allowed_attributes - self._sanitizer_allowed_styles = allowed_styles self._sanitizer_strip = strip super(SanitizedCharField, self).__init__(*args, **kwargs) @@ -28,18 +27,17 @@ def to_python(self, value): value = super(SanitizedCharField, self).to_python(value) value = bleach.clean(value, tags=self._sanitizer_allowed_tags, attributes=self._sanitizer_allowed_attributes, - styles=self._sanitizer_allowed_styles, strip=self._sanitizer_strip) + strip=self._sanitizer_strip) return smart_unicode(value) class SanitizedTextField(models.TextField): def __init__(self, allowed_tags=[], allowed_attributes=[], - allowed_styles=[], strip=False, + strip=False, *args, **kwargs): self._sanitizer_allowed_tags = allowed_tags self._sanitizer_allowed_attributes = allowed_attributes - self._sanitizer_allowed_styles = allowed_styles self._sanitizer_strip = strip super(SanitizedTextField, self).__init__(*args, **kwargs) @@ -47,14 +45,14 @@ def to_python(self, value): value = super(SanitizedTextField, self).to_python(value) value = bleach.clean(value, tags=self._sanitizer_allowed_tags, attributes=self._sanitizer_allowed_attributes, - styles=self._sanitizer_allowed_styles, strip=self._sanitizer_strip) + strip=self._sanitizer_strip) return smart_unicode(value) def get_prep_value(self, value): value = super(SanitizedTextField, self).get_prep_value(value) value = bleach.clean(value, tags=self._sanitizer_allowed_tags, attributes=self._sanitizer_allowed_attributes, - styles=self._sanitizer_allowed_styles, strip=self._sanitizer_strip) + strip=self._sanitizer_strip) return value diff --git a/sanitizer/tests.py b/sanitizer/tests.py index 21d0dcd..bf57910 100644 --- a/sanitizer/tests.py +++ b/sanitizer/tests.py @@ -11,22 +11,21 @@ ALLOWED_TAGS = ['a'] ALLOWED_ATTRIBUTES = ['href', 'style'] -ALLOWED_STYLES = ['width'] class TestingModel(models.Model): test_field = SanitizedCharField(max_length=255, allowed_tags=ALLOWED_TAGS, - allowed_attributes=ALLOWED_ATTRIBUTES, allowed_styles=ALLOWED_STYLES) + allowed_attributes=ALLOWED_ATTRIBUTES) class TestingTextModel(models.Model): test_field = SanitizedTextField(allowed_tags=ALLOWED_TAGS, - allowed_attributes=ALLOWED_ATTRIBUTES, allowed_styles=ALLOWED_STYLES) + allowed_attributes=ALLOWED_ATTRIBUTES) class TestForm(forms.Form): test_field = SanitizedFormField(allowed_tags=['a'], - allowed_attributes=['href', 'style'], allowed_styles=['width']) + allowed_attributes=['href', 'style']) class SanitizerTest(TestCase): @@ -70,17 +69,17 @@ def test_SanitizedFormField(self): def test_escape_html(self): html = 'foo' self.assertEqual(escape_html(html, allowed_tags='a', - allowed_attributes='href,style', allowed_styles='width'), + allowed_attributes='href,style'), 'foo<em></em>') self.assertEqual(escape_html(html, allowed_tags=['a'], - allowed_attributes=['href', 'style'], allowed_styles=['width']), + allowed_attributes=['href', 'style']), 'foo<em></em>') def test_strip_html(self): html = 'foo' self.assertEqual(strip_html(html, allowed_tags='a', - allowed_attributes='href,style', allowed_styles='width'), + allowed_attributes='href,style'), 'foo') self.assertEqual(strip_html(html, allowed_tags=['a'], - allowed_attributes=['href', 'style'], allowed_styles=['width']), + allowed_attributes=['href', 'style']), 'foo') diff --git a/setup.py b/setup.py index 04fda26..ad25013 100644 --- a/setup.py +++ b/setup.py @@ -4,7 +4,7 @@ setup( name='django-html_sanitizer', - version='0.1.6', + version='0.1.7', author='Selwin Ong', author_email='selwin.ong@gmail.com', packages=['sanitizer'],