Update.

2025-06-06 03:22:39 +02:00 · 2025-06-06 03:22:39 +02:00 · 1c71c0016b
commit 1c71c0016b
parent 1a034041ab
2 changed files with 4 additions and 1 deletions
--- a/src/snek/service/channel_message.py
+++ b/src/snek/service/channel_message.py
@ -67,6 +67,7 @@ class ChannelMessageService(BaseService):
        )
        template = self.app.jinja2_env.get_template("message.html")
        model["html"] = template.render(**context)
+        model["html"] = whitelist_attributes(model["html"])
        return await super().save(model)

    async def offset(self, channel_uid, page=0, timestamp=None, page_size=30):
--- a/src/snek/system/template.py
+++ b/src/snek/system/template.py
@ -130,7 +130,9 @@ def whitelist_attributes(html):
    soup = BeautifulSoup(html, 'html.parser')

    for tag in soup.find_all():
-        if isinstance(tag, Tag):
+        if hasattr(tag, 'attrs'):
+            if tag.name == 'script':
+                tag.replace_with('')
            attrs = dict(tag.attrs)
            for attr in list(attrs):
                # Check if attribute is in the safe list or is a data-* attribute