changeset 974:d260aef91ad7

Prevent post preview from allowing mixed content. Apply image_check() to post previews and display an error message instead of the preview if it fails.
author Brian Neal <bgneal@gmail.com>
date Thu, 01 Oct 2015 20:18:48 -0500 (2015-10-02)
parents 6f55c086db1e
children 8c3d52b7cbd1
files comments/views.py
diffstat 1 files changed, 18 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/comments/views.py	Thu Oct 01 19:44:45 2015 -0500
+++ b/comments/views.py	Thu Oct 01 20:18:48 2015 -0500
@@ -14,6 +14,7 @@
 from django.views.decorators.http import require_POST
 
 from core.functions import email_admins
+from core.html import image_check, ImageCheckError
 from core.markup import site_markup
 from comments.forms import CommentForm
 from comments.models import Comment
@@ -22,6 +23,16 @@
 import antispam.utils
 
 
+PREVIEW_UNAVAILABLE = """
+<p><strong>Error</strong>: {}</p>
+<p>Sorry, preview is unavailable.</p>
+<p>There is an image in your post which failed our image check. We can only
+accept images from a small number of sources for security reasons. You may use
+the forms below this box to safely hot-link to images hosted elsewhere on the
+Internet or upload from your computer or device.</p>
+"""
+
+
 @login_required
 @require_POST
 def post_comment(request):
@@ -133,7 +144,13 @@
     if data is None:
         return HttpResponseBadRequest('No data')
 
+    html = site_markup(data)
+    try:
+        image_check(html)
+    except ImageCheckError as ex:
+        html = PREVIEW_UNAVAILABLE.format(ex)
+
     return render_to_response('comments/markdown_preview.html', {
-        'data': site_markup(data),
+        'data': html,
         },
         context_instance = RequestContext(request))