Strip unwanted tags from task note and comments

2018-12-20 17:08:09 -08:00 · 2018-12-20 17:08:09 -08:00 · f526ed5166
commit f526ed5166
parent c6bd3bcdb0
7 changed files with 298 additions and 92 deletions
--- a/todo/init.py
+++ b/todo/init.py
@ -1,7 +1,7 @@
 """
 A multi-user, multi-group task management and assignment system for Django.
 """
-__version__ = '2.0.3'
+__version__ = '2.1.0'

 __author__ = 'Scot Hacker'
 __email__ = 'shacker@birdhouse.org'
--- a/todo/models.py
+++ b/todo/models.py
@ -75,4 +75,4 @@ class Comment(models.Model):
        return "{author} - {snippet}...".format(author=self.author, snippet=self.body[:35])

    def __str__(self):
-        return self.snippet
+        return self.snippet()
--- a/todo/tests/test_views.py
+++ b/todo/tests/test_views.py
@ -1,5 +1,8 @@
+import bleach
+import json
 import pytest

+from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
 from django.urls import reverse

@ -85,6 +88,60 @@ def test_view_search(todo_setup, admin_client):
    assert response.status_code == 200


+@pytest.mark.django_db
+def test_no_javascript_in_task_note(todo_setup, client):
+    task_list = TaskList.objects.first()
+    user = get_user_model().objects.get(username="u2")
+    title = "Some Unique String"
+    note = "foo <script>alert('oh noez');</script> bar"
+    data = {
+        "task_list": task_list.id,
+        "created_by": user.id,
+        "priority": 10,
+        "title": title,
+        "note": note,
+        'add_edit_task': 'Submit'
+    }
+
+    client.login(username='u2', password="password")
+    url = reverse('todo:list_detail', kwargs={"list_id": task_list.id, "list_slug": task_list.slug})
+
+    response = client.post(url, data)
+    assert response.status_code == 302
+
+    # Retrieve new task and compare notes field
+    task = Task.objects.get(title=title)
+    assert task.note != note  # Should have been modified by bleach since note included javascript!
+    assert task.note == bleach.clean(note, strip=True)
+
+
+@pytest.mark.django_db
+def test_no_javascript_in_comments(todo_setup, client):
+    user = get_user_model().objects.get(username="u2")
+    client.login(username='u2', password="password")
+
+    task = Task.objects.first()
+    task.created_by = user
+    task.save()
+
+    user.groups.add(task.task_list.group)
+
+    comment = "foo <script>alert('oh noez');</script> bar"
+    data = {
+        "comment-body": comment,
+        "add_comment": 'Submit'
+    }
+    url = reverse('todo:task_detail', kwargs={"task_id": task.id})
+
+    response = client.post(url, data)
+    assert response.status_code == 200
+
+    task.refresh_from_db()
+    newcomment = task.comment_set.last()
+    assert newcomment != comment  # Should have been modified by bleach
+    assert newcomment.body == bleach.clean(comment, strip=True)
+
+
 # ### PERMISSIONS ###

 """
@ -139,9 +196,9 @@ def test_view_task_mine(todo_setup, client):


 def test_view_task_my_group(todo_setup, client, django_user_model):
-    # User can always view tasks that are NOT theirs IF the task is in a shared group.
-    # u1 and u2 are in different groups in the fixture -
-    # Put them in the same group.
+    """User can always view tasks that are NOT theirs IF the task is in a shared group.
+    u1 and u2 are in different groups in the fixture -
+    Put them in the same group."""
    g1 = Group.objects.get(name="Workgroup One")
    u2 = django_user_model.objects.get(username="u2")
    u2.groups.add(g1)
--- a/todo/views.py
+++ b/todo/views.py
@ -1,4 +1,5 @@
 import datetime
+import bleach

 from django.conf import settings
 from django.contrib import messages
@ -150,6 +151,7 @@ def list_detail(request, list_id=None, list_slug=None, view_completed=False):
        if form.is_valid():
            new_task = form.save(commit=False)
            new_task.created_date = timezone.now()
+            new_task.note = bleach.clean(form.cleaned_data['note'], strip=True)
            form.save()

            # Send email alert only if Notify checkbox is checked AND assignee is not same as the submitter
@ -197,7 +199,7 @@ def task_detail(request, task_id: int) -> HttpResponse:
        Comment.objects.create(
            author=request.user,
            task=task,
-            body=request.POST['comment-body'],
+            body=bleach.clean(request.POST['comment-body'], strip=True),
        )

        send_email_to_thread_participants(
@ -210,7 +212,9 @@ def task_detail(request, task_id: int) -> HttpResponse:
        form = AddEditTaskForm(request.user, request.POST, instance=task, initial={'task_list': task.task_list})

        if form.is_valid():
-            form.save()
+            item = form.save(commit=False)
+            item.note = bleach.clean(form.cleaned_data['note'], strip=True)
+            item.save()
            messages.success(request, "The task has been edited.")
            return redirect('todo:list_detail', list_id=task.task_list.id, list_slug=task.task_list.slug)
    else: