changeset 1011:164a39d985ef

Perform SSL image_check on profile text fields.
author Brian Neal <bgneal@gmail.com>
date Fri, 27 Nov 2015 15:45:05 -0600 (2015-11-27)
parents 9afe0610aae5
children fc528d4509b0
files bio/forms.py bio/tests/test_forms.py
diffstat 2 files changed, 44 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/bio/forms.py	Fri Nov 27 15:44:06 2015 -0600
+++ b/bio/forms.py	Fri Nov 27 15:45:05 2015 -0600
@@ -14,8 +14,11 @@
 import pytz
 
 from bio.models import UserProfile
+from core.html import image_check
+from core.html import ImageCheckError
+from core.images.utils import parse_image, downscale_image_square
+from core.markup import site_markup
 from core.widgets import AutoCompleteUserInput
-from core.images.utils import parse_image, downscale_image_square
 
 
 class EditUserForm(forms.ModelForm):
@@ -59,7 +62,7 @@
 
     def clean_time_zone(self):
         """Ensure the timezone is valid and will work with pytz.
-        
+
         A blank (empty) value is allowed.
         """
 
@@ -72,6 +75,22 @@
 
         return tz
 
+    def _image_check(self, field_name):
+        text = self.cleaned_data[field_name]
+        if text:
+            html = site_markup(text)
+            try:
+                image_check(html)
+            except ImageCheckError as ex:
+                raise forms.ValidationError(str(ex))
+        return text
+
+    def clean_profile_text(self):
+        return self._image_check('profile_text')
+
+    def clean_signature(self):
+        return self._image_check('signature')
+
 
 class UploadAvatarForm(forms.Form):
     """Form used to change a user's avatar"""
--- a/bio/tests/test_forms.py	Fri Nov 27 15:44:06 2015 -0600
+++ b/bio/tests/test_forms.py	Fri Nov 27 15:45:05 2015 -0600
@@ -26,3 +26,26 @@
         form = EditUserProfileForm({})
         self.assertTrue(form.is_valid())
 
+    def test_profile_text_good(self):
+        post_data = {'profile_text': "This is my profile, no images."}
+        form = EditUserProfileForm(post_data)
+        self.assertTrue(form.is_valid())
+
+    def test_profile_text_bad_image(self):
+        post_data = {
+            'profile_text': "I'm cool. ![image](http://example.com/test.jpg)",
+        }
+        form = EditUserProfileForm(post_data)
+        self.assertFalse(form.is_valid())
+
+    def test_signature_good(self):
+        post_data = {'signature': "This is my signature, no images."}
+        form = EditUserProfileForm(post_data)
+        self.assertTrue(form.is_valid())
+
+    def test_signature_bad_image(self):
+        post_data = {
+            'signature': "I'm cool. ![image](http://example.com/test.jpg)",
+        }
+        form = EditUserProfileForm(post_data)
+        self.assertFalse(form.is_valid())