Fixing insert of unneeded html tags in db

Added a Sanitize function in util * Possibility to add model in it * Already a preset default model Comments shouldn't be allowed html, too difficult to check every comment for broken html Torrents are still allowed html tags but I don't think it should since we use markdown.
2017-05-23 22:09:20 +02:00 · 2017-05-23 22:09:20 +02:00 · 23e7d33bb6
Parent 07623e85ed
--- a/router/upload.go
+++ b/router/upload.go
@ -20,7 +20,6 @@ import (
 	"github.com/NyaaPantsu/nyaa/util"
 	"github.com/NyaaPantsu/nyaa/util/categories"
 	"github.com/NyaaPantsu/nyaa/util/metainfo"
-	"github.com/microcosm-cc/bluemonday"
 	"github.com/zeebo/bencode"
 )

@ -83,7 +82,7 @@ var ErrInvalidWebsiteLink = errors.New("Website url or IRC link is invalid")
 // error indicating a torrent's category is invalid
 var ErrInvalidTorrentCategory = errors.New("Torrent category is invalid")

-var p = bluemonday.UGCPolicy()
+// var p = bluemonday.UGCPolicy()

 /**
 UploadForm.ExtractInfo takes an http request and computes all fields for this form
@ -100,7 +99,7 @@ func (f *UploadForm) ExtractInfo(r *http.Request) error {

 	// trim whitespace
 	f.Name = util.TrimWhitespaces(f.Name)
-	f.Description = p.Sanitize(util.TrimWhitespaces(f.Description))
+	f.Description = util.Sanitize(util.TrimWhitespaces(f.Description), "default")
 	f.WebsiteLink = util.TrimWhitespaces(f.WebsiteLink)
 	f.Magnet = util.TrimWhitespaces(f.Magnet)
 	cache.Impl.ClearAll()
@ -241,7 +240,7 @@ func (f *UploadForm) ExtractEditInfo(r *http.Request) error {

 	// trim whitespace
 	f.Name = util.TrimWhitespaces(f.Name)
-	f.Description = p.Sanitize(util.TrimWhitespaces(f.Description))
+	f.Description = util.Sanitize(util.TrimWhitespaces(f.Description), "default")

 	catsSplit := strings.Split(f.Category, "_")
 	// need this to prevent out of index panics
--- a/router/view_torrent_handler.go
+++ b/router/view_torrent_handler.go
@ -15,6 +15,7 @@ import (
 	"github.com/NyaaPantsu/nyaa/service/report"
 	"github.com/NyaaPantsu/nyaa/service/torrent"
 	"github.com/NyaaPantsu/nyaa/service/user/permission"
+	"github.com/NyaaPantsu/nyaa/util"
 	"github.com/NyaaPantsu/nyaa/util/languages"
 	"github.com/NyaaPantsu/nyaa/util/log"
 	msg "github.com/NyaaPantsu/nyaa/util/messages"
@ -90,7 +91,7 @@ func PostCommentHandler(w http.ResponseWriter, r *http.Request) {
 			messages.AddErrorT("errors", "bad_captcha")
 		}
 	}
-	content := p.Sanitize(r.FormValue("comment"))
+	content := util.Sanitize(r.FormValue("comment"), "")

 	if strings.TrimSpace(content) == "" {
 		messages.AddErrorT("errors", "comment_empty")
--- a/util/markdown.go
+++ b/util/markdown.go
@ -38,3 +38,24 @@ func MarkdownToHTML(markdown string) template.HTML {
 	html := bluemonday.UGCPolicy().SanitizeBytes(unsafe)
 	return template.HTML(html)
 }
+
+
+/*
+ * Sanitize a message passed as a string according to a setted model or allowing a set of html tags and output a string
+ */
+func Sanitize(msg string, elements ...string) string {
+	p := bluemonday.StrictPolicy()
+	if len(elements) > 0 {
+		if elements[0] == "default" { // default model
+			p.AllowElements("b", "strong", "em", "i", "u", "blockquote", "q")
+			p.AllowImages()
+			p.AllowStandardURLs()
+			p.AllowAttrs("cite").OnElements("blockquote", "q")
+			p.AllowAttrs("href").OnElements("a")
+			p.AddTargetBlankToFullyQualifiedLinks(true)
+		} else { // allowing set of html tags
+			p.AllowElements(elements...)
+		}
+	}
+	return p.Sanitize(msg)
+}