Use belach or nh3 for cleaning html (fix for #2874)

janeczku · Nov 9, 2023 · f78e0ff · f78e0ff
1 parent bd71391
commit f78e0ff
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/cps/editbooks.py b/cps/editbooks.py
@@ -29,9 +29,18 @@
 from functools import wraps
 
 try:
-    from lxml.html.clean import clean_html, Cleaner
+    from bleach import clean_text as clean_html
+    BLEACH = True
 except ImportError:
-    clean_html = None
+    try:
+        from nh3 import clean as clean_html
+        BLEACH = False
+    except ImportError:
+        try:
+            from lxml.html.clean import clean_html
+            BLEACH = False
+        except ImportError:
+            clean_html = None
 
 from flask import Blueprint, request, flash, redirect, url_for, abort, Response
 from flask_babel import gettext as _
@@ -992,7 +1001,10 @@ def edit_book_series_index(series_index, book):
 def edit_book_comments(comments, book):
     modify_date = False
     if comments:
-        comments = clean_html(comments)
+        if BLEACH:
+            comments = clean_html(comments, tags=None, attributes=None)
+        else:
+            comments = clean_html(comments)
     if len(book.comments):
         if book.comments[0].text != comments:
             book.comments[0].text = comments