Mercurial > public > sg101
comparison comments/views.py @ 974:d260aef91ad7
Prevent post preview from allowing mixed content.
Apply image_check() to post previews and display an error message instead of
the preview if it fails.
| author | Brian Neal <bgneal@gmail.com> |
|---|---|
| date | Thu, 01 Oct 2015 20:18:48 -0500 |
| parents | 4619290d171d |
| children | a828e80223d2 |
comparison
equal
deleted
inserted
replaced
| 973:6f55c086db1e | 974:d260aef91ad7 |
|---|---|
| 12 from django.template import RequestContext | 12 from django.template import RequestContext |
| 13 from django.utils.html import escape | 13 from django.utils.html import escape |
| 14 from django.views.decorators.http import require_POST | 14 from django.views.decorators.http import require_POST |
| 15 | 15 |
| 16 from core.functions import email_admins | 16 from core.functions import email_admins |
| 17 from core.html import image_check, ImageCheckError | |
| 17 from core.markup import site_markup | 18 from core.markup import site_markup |
| 18 from comments.forms import CommentForm | 19 from comments.forms import CommentForm |
| 19 from comments.models import Comment | 20 from comments.models import Comment |
| 20 from comments.models import CommentFlag | 21 from comments.models import CommentFlag |
| 21 import antispam | 22 import antispam |
| 22 import antispam.utils | 23 import antispam.utils |
| 24 | |
| 25 | |
| 26 PREVIEW_UNAVAILABLE = """ | |
| 27 <p><strong>Error</strong>: {}</p> | |
| 28 <p>Sorry, preview is unavailable.</p> | |
| 29 <p>There is an image in your post which failed our image check. We can only | |
| 30 accept images from a small number of sources for security reasons. You may use | |
| 31 the forms below this box to safely hot-link to images hosted elsewhere on the | |
| 32 Internet or upload from your computer or device.</p> | |
| 33 """ | |
| 23 | 34 |
| 24 | 35 |
| 25 @login_required | 36 @login_required |
| 26 @require_POST | 37 @require_POST |
| 27 def post_comment(request): | 38 def post_comment(request): |
| 131 | 142 |
| 132 data = request.POST.get('data', None) | 143 data = request.POST.get('data', None) |
| 133 if data is None: | 144 if data is None: |
| 134 return HttpResponseBadRequest('No data') | 145 return HttpResponseBadRequest('No data') |
| 135 | 146 |
| 147 html = site_markup(data) | |
| 148 try: | |
| 149 image_check(html) | |
| 150 except ImageCheckError as ex: | |
| 151 html = PREVIEW_UNAVAILABLE.format(ex) | |
| 152 | |
| 136 return render_to_response('comments/markdown_preview.html', { | 153 return render_to_response('comments/markdown_preview.html', { |
| 137 'data': site_markup(data), | 154 'data': html, |
| 138 }, | 155 }, |
| 139 context_instance = RequestContext(request)) | 156 context_instance = RequestContext(request)) |