# HG changeset patch
# User Brian Neal <bgneal@gmail.com>
# Date 1443748728 18000
# Node ID d260aef91ad7562e42cd85e9bd301181d66cadc6
# Parent  6f55c086db1eb17597b5759ace2bd1f3d245597c
Prevent post preview from allowing mixed content.

Apply image_check() to post previews and display an error message instead of
the preview if it fails.

diff -r 6f55c086db1e -r d260aef91ad7 comments/views.py
--- a/comments/views.py	Thu Oct 01 19:44:45 2015 -0500
+++ b/comments/views.py	Thu Oct 01 20:18:48 2015 -0500
@@ -14,6 +14,7 @@
 from django.views.decorators.http import require_POST
 
 from core.functions import email_admins
+from core.html import image_check, ImageCheckError
 from core.markup import site_markup
 from comments.forms import CommentForm
 from comments.models import Comment
@@ -22,6 +23,16 @@
 import antispam.utils
 
 
+PREVIEW_UNAVAILABLE = """
+<p><strong>Error</strong>: {}</p>
+<p>Sorry, preview is unavailable.</p>
+<p>There is an image in your post which failed our image check. We can only
+accept images from a small number of sources for security reasons. You may use
+the forms below this box to safely hot-link to images hosted elsewhere on the
+Internet or upload from your computer or device.</p>
+"""
+
+
 @login_required
 @require_POST
 def post_comment(request):
@@ -133,7 +144,13 @@
     if data is None:
         return HttpResponseBadRequest('No data')
 
+    html = site_markup(data)
+    try:
+        image_check(html)
+    except ImageCheckError as ex:
+        html = PREVIEW_UNAVAILABLE.format(ex)
+
     return render_to_response('comments/markdown_preview.html', {
-        'data': site_markup(data),
+        'data': html,
         },
         context_instance = RequestContext(request))