diff --git a/froide_govplan/forms.py b/froide_govplan/forms.py index d2aa6b1..2ff02c8 100644 --- a/froide_govplan/forms.py +++ b/froide_govplan/forms.py @@ -1,42 +1,32 @@ import copy +import nh3 from django import forms from django.conf import settings from django.contrib.auth import get_user_model from django.utils import timezone from django.utils.safestring import mark_safe from django.utils.translation import gettext_lazy as _ - -import bleach -from bleach.linkifier import Linker -from tinymce.widgets import TinyMCE - from froide.helper.widgets import BootstrapSelect +from tinymce.widgets import TinyMCE from .models import GovernmentPlan, GovernmentPlanUpdate, PlanRating, PlanStatus -BLEACH_OPTIONS = { - "tags": [ - "a", - "strong", - "b", - "i", - "em", - "ul", - "ol", - "li", - "p", - "h3", - "h4", - "h5", - "blockquote", - ] -} - - -def set_link_attrs(attrs, new=False): - attrs[(None, "rel")] = "noopener" - return attrs +ALLOWED_TAGS = [ + "a", + "strong", + "b", + "i", + "em", + "ul", + "ol", + "li", + "p", + "h3", + "h4", + "h5", + "blockquote", +] class BleachField(forms.CharField): @@ -49,9 +39,8 @@ class BleachField(forms.CharField): """ if value in self.empty_values: return self.empty_value - cleaned = bleach.clean(value, **BLEACH_OPTIONS) - linker = Linker(callbacks=[set_link_attrs]) - return mark_safe(linker.linkify(cleaned)) + cleaned_html = nh3.clean(value, tags=ALLOWED_TAGS, link_rel="noopener") + return mark_safe(cleaned_html) class GovernmentPlanForm(forms.ModelForm): diff --git a/pyproject.toml b/pyproject.toml index 30b965f..6194ede 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -22,7 +22,7 @@ dependencies = [ "django-filer", "psycopg[binary]", "django-admin-sortable2", - "bleach", + "nh3", "django-tinymce", "django-oauth-toolkit", "django-mfa3",