[#8536] use h.clean_html and |safe_html

Allura/allura/config/app_cfg.py

@@ -143,6 +143,7 @@ def create(cls, config, app_globals):
         jinja2_env.filters['filter'] = lambda s, t=None: list(filter(t and jinja2_env.tests[t], s))
         jinja2_env.filters['nl2br'] = helpers.nl2br_jinja_filter
         jinja2_env.filters['subrender'] = helpers.subrender_jinja_filter
+        jinja2_env.filters['safe_html'] = helpers.clean_html
         jinja2_env.globals.update({
             'hasattr': hasattr,
             'h': helpers,

Allura/allura/ext/admin/templates/project_trove.html

@@ -27,7 +27,7 @@ <h3>{{base.fullname}}</h3>
   {% set help_text = config.get('trovecategories.admin.help.'+base.shortname, '') %}
   {% if help_text %}
     <div class="grid-19">
-      {{ help_text|safe }}
+      {{ help_text|safe_html }}
       <br><br>
     </div>
   {% endif %}

Allura/allura/lib/helpers.py

@@ -809,7 +809,7 @@ def subrender_jinja_filter(context, html_tmpl: str) -> Markup:
             log.exception(f'Could not replace {var} in jinja "subrender" for site notification')
             continue
         html_tmpl = html_tmpl.replace(var, val)
-    return Markup(html_tmpl)
+    return clean_html(html_tmpl)
 
 
 def nl2br_jinja_filter(value):
@@ -1378,3 +1378,10 @@ def pluralize_tool_name(tool_name: string, count: int):
 def parse_fediverse_address(username: str):
     pieces = username.split('@')
     return f'https://{pieces[-1]}/@{pieces[1]}'
+
+
+def clean_html(value: str) -> Markup:
+    from allura.lib.markdown_extensions import HTMLSanitizer
+    return Markup(
+        HTMLSanitizer().run(value)
+    )

Allura/allura/templates/jinja_master/master.html

@@ -56,11 +56,11 @@
 
     {% if c.project and c.project.neighborhood.css %}
         <style type="text/css">
-            {{c.project.neighborhood.get_custom_css()|safe}}
+            {{ c.project.neighborhood.get_custom_css()|safe_html }}
         </style>
     {% elif neighborhood|default and neighborhood.css %}
         <style type="text/css">
-            {{neighborhood.get_custom_css()}}
+            {{ neighborhood.get_custom_css()|safe_html }}
         </style>
     {% endif %}
     {% block extra_css %}{% endblock %}

Allura/allura/templates/neighborhood_project_list.html

@@ -45,7 +45,7 @@
       {{ text }}
     {% endif %}
     {% if neighborhood.homepage %}
-      {{neighborhood.homepage|safe}}
+      {{neighborhood.homepage|safe_html}}
     {% endif %}
     {% if neighborhood.allow_browse %}
       {% if not projects %}

Allura/allura/templates_responsive/jinja_master/master.html

@@ -58,11 +58,11 @@
 
     {% if c.project and c.project.neighborhood.css %}
         <style type="text/css">
-            {{c.project.neighborhood.get_custom_css()|safe}}
+            {{ c.project.neighborhood.get_custom_css()|safe_html }}
         </style>
     {% elif neighborhood|default and neighborhood.css %}
         <style type="text/css">
-            {{neighborhood.get_custom_css()}}
+            {{ neighborhood.get_custom_css()|safe_html }}
         </style>
     {% endif %}
     {% block extra_css %}{% endblock %}

Allura/allura/tests/test_helpers.py

@@ -707,3 +707,8 @@ def test_querystring():
             'https://mysite.com/p/test/foobar/p/test/foobar?page=2&limit=5&count=100')
     assert (h.querystring(req, dict(page=5, limit=2, count=None)) ==
             'https://mysite.com/p/test/foobar/p/test/foobar?page=5&limit=2')
+
+def test_clean_html():
+    assert h.clean_html('<script>alert(1)</script>') == '&lt;script&gt;alert(1)&lt;/script&gt;'
+    assert h.clean_html('<b style="color: red; right: 0">ok</b>') == '<b style="color: red;">ok</b>'
+    assert isinstance(h.clean_html('foo'), Markup)