Be less restrictive on authorized html tags

Allow users to add ids to tags
Allow users to use iframes
This commit is contained in:
Trinity Pointard 2018-09-19 10:48:39 +02:00
parent 2bc6052a35
commit fab6360100
1 changed files with 30 additions and 5 deletions

View File

@ -1,14 +1,39 @@
use ammonia::clean; use ammonia::{Builder, UrlRelative};
use serde::{self, Serialize, Deserialize, use serde::{self, Serialize, Deserialize,
Serializer, Deserializer, de::Visitor}; Serializer, Deserializer, de::Visitor};
use std::{fmt::{self, Display}, use std::{fmt::{self, Display},
borrow::Borrow, io::Write, borrow::{Borrow, Cow}, io::Write,
ops::Deref}; iter, ops::Deref};
use diesel::{self, deserialize::Queryable, use diesel::{self, deserialize::Queryable,
types::ToSql, types::ToSql,
sql_types::Text, sql_types::Text,
serialize::{self, Output}}; serialize::{self, Output}};
lazy_static! {
static ref CLEAN: Builder<'static> = {
let mut b = Builder::new();
b.add_generic_attributes(iter::once("id"))
.add_tags(iter::once("iframe"))
.id_prefix(Some("postcontent-"))
.url_relative(UrlRelative::Custom(Box::new(url_add_prefix)))
.add_tag_attributes("iframe",
["width", "height", "src", "frameborder"]
.iter()
.map(|&v| v));
b
};
}
fn url_add_prefix(url: &str) -> Option<Cow<str>> {
if url.starts_with('#') && ! url.starts_with("#postcontent-") {//if start with an #
let mut new_url = "#postcontent-".to_owned();//change to valid id
new_url.push_str(&url[1..]);
Some(Cow::Owned(new_url))
} else {
Some(Cow::Borrowed(url))
}
}
#[derive(Debug, Clone, AsExpression, FromSqlRow, Default)] #[derive(Debug, Clone, AsExpression, FromSqlRow, Default)]
#[sql_type = "Text"] #[sql_type = "Text"]
pub struct SafeString{ pub struct SafeString{
@ -18,11 +43,11 @@ pub struct SafeString{
impl SafeString{ impl SafeString{
pub fn new(value: &str) -> Self { pub fn new(value: &str) -> Self {
SafeString{ SafeString{
value: clean(&value), value: CLEAN.clean(&value).to_string(),
} }
} }
pub fn set(&mut self, value: &str) { pub fn set(&mut self, value: &str) {
self.value = clean(value); self.value = CLEAN.clean(value).to_string();
} }
pub fn get(&self) -> &String { pub fn get(&self) -> &String {
&self.value &self.value