Update.

Browse Source
This commit is contained in:
retoor 2025-06-06 03:22:39 +02:00
parent 1a034041ab
commit 1c71c0016b
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/snek/service/channel_message.py
View File

@ -67,6 +67,7 @@ class ChannelMessageService(BaseService):
) )
template = self.app.jinja2_env.get_template("message.html") template = self.app.jinja2_env.get_template("message.html")
model["html"] = template.render(**context) model["html"] = template.render(**context)
model["html"] = whitelist_attributes(model["html"])
return await super().save(model) return await super().save(model)
async def offset(self, channel_uid, page=0, timestamp=None, page_size=30): async def offset(self, channel_uid, page=0, timestamp=None, page_size=30):

4
src/snek/system/template.py
View File

@ -130,7 +130,9 @@ def whitelist_attributes(html):
soup = BeautifulSoup(html, 'html.parser') soup = BeautifulSoup(html, 'html.parser')
for tag in soup.find_all(): for tag in soup.find_all():
if isinstance(tag, Tag): if hasattr(tag, 'attrs'):
if tag.name == 'script':
tag.replace_with('')
attrs = dict(tag.attrs) attrs = dict(tag.attrs)
for attr in list(attrs): for attr in list(attrs):
# Check if attribute is in the safe list or is a data-* attribute # Check if attribute is in the safe list or is a data-* attribute