remove <script> tags altogether before running bleach

woodwind/models.py

@@ -2,6 +2,7 @@ import bleach
 import json
 import binascii
 from .extensions import db
+import re
 
 
 bleach.ALLOWED_TAGS += ['a', 'img', 'p', 'br', 'marquee', 'blink',
@@ -122,7 +123,9 @@ class Entry(db.Model):
 
     def content_cleaned(self):
         if self.content:
-            return bleach.clean(self.content, strip=True)
+            text = self.content
+            text = re.sub('<script>.*?</script>', '', text, flags=re.DOTALL)
+            return bleach.clean(text, strip=True)
 
     def __repr__(self):
         return '<Entry:{},{}>'.format(self.title, (self.content or '')[:140])

woodwind/views.py

@@ -131,13 +131,11 @@ def logout():
     return flask.redirect(flask.url_for('.index'))
 
 
-@views.route('/login', methods=['GET', 'POST'])
+@views.route('/login', methods=['POST'])
 def login():
-    if flask.request.method == 'POST':
+    return micropub.authenticate(
-        return micropub.authenticate(
+        flask.request.form.get('me'),
-            flask.request.form.get('me'),
+        next_url=flask.request.form.get('next'))
-            next_url=flask.request.form.get('next'))
-    return flask.render_template('login.jinja2')
 
 
 @views.route('/login-callback')