inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-06-17 12:35:46 +00:00
Code Activity

Update bleach clean function (#3503)

Browse Source 
* Update bleach clean function

- Invalid tags are stripped out
- & > < characters are accepted

* Throw an error if any field contains HTML tags

* Update unit tests
This commit is contained in:
Oliver
2022-08-15 22:27:25 +10:00
committed by GitHub
parent 956701a584
commit b0e91e7068
2 changed files with 82 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
InvenTree/part/test_api.py
View File

@ -227,31 +227,40 @@ class PartCategoryAPITest(InvenTreeAPITestCase):
url = reverse('api-part-category-detail', kwargs={'pk': 1})
self.patch(
url,
{
'description': '<img src=# onerror=alert("pwned")>',
},
expected_code=200
)
# Invalid values containing tags
invalid_values = [
'<img src="test"/>',
'<a href="#">Link</a>',
"<a href='#'>Link</a>",
'<b>',
]
cat = PartCategory.objects.get(pk=1)
for v in invalid_values:
response = self.patch(
url,
{
'description': v
},
expected_code=400
)
# Image tags have been stripped
self.assertEqual(cat.description, '&lt;img src=# onerror=alert("pwned")&gt;')
# Raw characters should be allowed
allowed = [
'<< hello',
'Alpha & Omega',
'A > B > C',
]
self.patch(
url,
{
'description': '<a href="www.google.com">LINK</a><script>alert("h4x0r")</script>',
},
expected_code=200,
)
for val in allowed:
response = self.patch(
url,
{
'description': val,
},
expected_code=200,
)
# Tags must have been bleached out
cat.refresh_from_db()
self.assertEqual(cat.description, '<a href="www.google.com">LINK</a>&lt;script&gt;alert("h4x0r")&lt;/script&gt;')
self.assertEqual(response.data['description'], val)
class PartOptionsAPITest(InvenTreeAPITestCase):