remove <script> tags altogether before running bleach

2015-02-15 19:02:48 -08:00 · 2015-02-15 19:02:48 -08:00 · aa87cdddbb
commit aa87cdddbb
parent 523a086928
2 changed files with 8 additions and 7 deletions
--- a/woodwind/models.py
+++ b/woodwind/models.py
@ -2,6 +2,7 @@ import bleach
 import json
 import binascii
 from .extensions import db
+import re


 bleach.ALLOWED_TAGS += ['a', 'img', 'p', 'br', 'marquee', 'blink',
@ -122,7 +123,9 @@ class Entry(db.Model):

    def content_cleaned(self):
        if self.content:
-            return bleach.clean(self.content, strip=True)
+            text = self.content
+            text = re.sub('<script>.*?</script>', '', text, flags=re.DOTALL)
+            return bleach.clean(text, strip=True)

    def __repr__(self):
        return '<Entry:{},{}>'.format(self.title, (self.content or '')[:140])
--- a/woodwind/views.py
+++ b/woodwind/views.py
@ -131,13 +131,11 @@ def logout():
    return flask.redirect(flask.url_for('.index'))


-@views.route('/login', methods=['GET', 'POST'])
+@views.route('/login', methods=['POST'])
 def login():
-    if flask.request.method == 'POST':
-        return micropub.authenticate(
-            flask.request.form.get('me'),
-            next_url=flask.request.form.get('next'))
-    return flask.render_template('login.jinja2')
+    return micropub.authenticate(
+        flask.request.form.get('me'),
+        next_url=flask.request.form.get('next'))


@views.route('/login-callback')