sanitized css files using bleach

This commit is contained in:
crunk 2022-03-19 19:48:56 +01:00
parent ce726fb6b3
commit d5369bc142
6 changed files with 21 additions and 6 deletions

View File

@ -5,7 +5,6 @@ black==21.11b1
blinker==1.4
cffi==1.15.0
click==8.0.3
-e git+https://git.vvvvvvaria.org/crunk/distribusi-verse.git@1a50898d216ae95c3eb9c144bb7ec678e638daa6#egg=distribusi
dnspython==2.1.0
email-validator==1.1.3
Flask==2.0.2
@ -40,3 +39,4 @@ tomli==1.2.2
typing-extensions==4.0.1
Werkzeug==2.0.2
WTForms==3.0.0
-e git+https://git.vvvvvvaria.org/crunk/distribusi-verse.git@1a50898d216ae95c3eb9c144bb7ec678e638daa6#egg=distribusi

3
setup.py Normal file
View File

@ -0,0 +1,3 @@
from setuptools import setup, find_packages
setup(name='library', version='1.0', packages=find_packages())

3
src/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
*
*/
!.gitignore

View File

@ -1,5 +1,7 @@
import os
from flask import render_template
import bleach
from werkzeug.utils import secure_filename
from sqlalchemy.exc import (
DataError,
DatabaseError,
@ -54,16 +56,22 @@ def SaveUploadCssFile(editorform, newcssfolder):
if not os.path.exists(newcssfolder):
os.mkdir(newcssfolder)
cssfile = editorform.cssfile.data
cssfile.save(os.path.join(newcssfolder, editorform.cssname.data))
cssfilename = f"{secure_filename(editorform.cssname.data)}.css"
cssfile.save(os.path.join(newcssfolder, cssfilename))
openfile = open(os.path.join(newcssfolder, cssfilename), 'r+')
cleancss = bleach.clean(openfile.read())
openfile.write(cleancss)
openfile.close
def WriteCssToFile(editorform, newcssfolder):
if not os.path.exists(newcssfolder):
os.mkdir(newcssfolder)
cssfilename = "{}.css".format(editorform.cssname.data)
cssfilename = f"{secure_filename(editorform.cssname.data)}.css"
cleancss = bleach.clean(editorform.css.data)
with open(os.path.join(newcssfolder, cssfilename), "w") as cssfile:
cssfile.write(editorform.css.data)
cssfile.write(cleancss)
cssfile.close
@ -72,7 +80,7 @@ def MakePublicTheme(editorform, current_distribusi):
distribusi = Distribusis.query.filter_by(
distribusiname=current_distribusi
).first()
distribusi.publictheme = editorform.cssname.data
distribusi.publictheme = secure_filename(editorform.cssname.data)
db.session.commit()
except InvalidRequestError:

View File

@ -25,7 +25,7 @@ class EditorForm(FlaskForm):
FileAllowed(["css"], "css files only!"),
FileSize(
max_size=10485760,
message="Zipfile size must be smaller than 100MB",
message="css file size must be smaller than 10MB",
),
],
)

View File

@ -73,6 +73,7 @@ def UploadUpdatedFiles(uploadfolder):
distribusi.course = uploadform.course.data
distribusi.year = uploadform.academicyear.data
distribusi.tags = uploadform.tags.data
distribusi.visible = False
db.session.commit()
except (InvalidRequestError, DataError, InterfaceError, DatabaseError):
db.session.rollback()