c342c73a25
Phase 1 of milestone #64. The body is captured (Phase 0) but was shown as plain text. Now: - html_sanitize.py: widen the allowlist to a faithful-but-safe set — headings, inline images, lists, blockquote, hr, code/pre, figure, links (div/span stay stripped; their text is preserved). Benefits the existing ProvenancePanel too. - post_feed_service.get_post: add sanitized `description_html` to the DETAIL response (the feed list stays lightweight plain text by design). - PostCard.vue: render description_html via v-html once expanded (fetched with detail); collapsed + no-detail fallback stay plain text. Styled close to the source (headings, images max-width, accent links, lists, quotes, code). Tests: sanitizer (headings/img/lists survive, img javascript: src dropped); get_post returns sanitized description_html. Refs FC #830. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
53 lines
1.9 KiB
Python
53 lines
1.9 KiB
Python
"""Backend HTML sanitization for scraped Post.description.
|
|
|
|
Provenance descriptions come from gallery-dl (untrusted third-party HTML).
|
|
We render them via v-html in the UI sub-slice, so they MUST be sanitized
|
|
server-side to a tight allowlist. nh3 (Rust/ammonia bindings) is used;
|
|
bleach is deprecated upstream and intentionally not used.
|
|
"""
|
|
|
|
import nh3
|
|
|
|
# A faithful-but-safe set: enough to reproduce the SEMANTIC look of a scraped
|
|
# post body (headings, lists, quotes, code, inline images, links, line breaks +
|
|
# inline emphasis) without layout-injection wrappers. `div`/`span` are
|
|
# deliberately NOT allowed — their text is preserved by nh3 and they only carry
|
|
# source-site layout/styling we don't want to import (a test pins this).
|
|
ALLOWED_TAGS = {
|
|
"p", "a", "br", "em", "strong", "b", "i", "u", "s",
|
|
"ul", "ol", "li", "blockquote",
|
|
"h1", "h2", "h3", "h4", "h5", "h6", "hr",
|
|
"pre", "code", "img", "figure", "figcaption",
|
|
}
|
|
ALLOWED_ATTRIBUTES = {
|
|
"a": {"href", "title", "target"},
|
|
"img": {"src", "alt", "title", "width", "height"},
|
|
}
|
|
# http/https for hotlinked source images today; relative URLs (e.g. a local
|
|
# `/api/...` src once inline images are captured) pass through nh3 untouched.
|
|
ALLOWED_URL_SCHEMES = {"http", "https"}
|
|
|
|
|
|
def sanitize_post_html(raw: str | None) -> str | None:
|
|
"""Return sanitized HTML, or None for null/empty/whitespace input.
|
|
|
|
- keeps only ALLOWED_TAGS / ALLOWED_ATTRIBUTES
|
|
- only http/https hrefs survive (javascript: etc. dropped)
|
|
- <script> content removed entirely
|
|
- all <a> get rel="noopener noreferrer" (nh3 default link_rel)
|
|
- never raises
|
|
"""
|
|
if raw is None:
|
|
return None
|
|
stripped = raw.strip()
|
|
if not stripped:
|
|
return None
|
|
return nh3.clean(
|
|
stripped,
|
|
tags=ALLOWED_TAGS,
|
|
attributes=ALLOWED_ATTRIBUTES,
|
|
url_schemes=ALLOWED_URL_SCHEMES,
|
|
link_rel="noopener noreferrer",
|
|
clean_content_tags={"script", "style"},
|
|
)
|