Merge branch 'kaedroho-html-comments-in-rich-text'

2024-12-01 11:41:20 +01:00 · 2015-10-14 17:07:44 +01:00 · 2015-10-14 17:07:44 +01:00 · e45b73fd0b
commit e45b73fd0b
parent e6fcb9e504 bb8894aa6c
4 changed files with 14 additions and 2 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -22,6 +22,7 @@ Changelog
 * StreamField blocks are now added automatically, without showing the block types menu, if only one block type exists (Alex Gleason)
 * Wagtail admin now standardises on a single thumbnail image size, to reduce the overhead of creating multiple renditions
 * The `first_published_at` and `latest_revision_created_at` fields on page models are now available as filter fields on search queries
+ * Rich text fields now strip out HTML comments
 * Fix: Deleting a page permission from the groups admin UI does not immediately submit the form
 * Fix: Wagtail userbar is shown on pages that do not pass a `page` variable to the template (e.g. because they override the `serve` method)
 * Fix: request.site now set correctly on page preview when the page is not in the default site
--- a/docs/releases/1.2.rst
+++ b/docs/releases/1.2.rst
@ -54,6 +54,7 @@ Minor features
 * StreamField blocks are now added automatically, without showing the block types menu, if only one block type exists (Alex Gleason)
 * The ``first_published_at`` and ``latest_revision_created_at`` fields on page models are now available as filter fields on search queries
 * Wagtail admin now standardises on a single thumbnail image size, to reduce the overhead of creating multiple renditions
+ * Rich text fields now strip out HTML comments

 Bug fixes
 ~~~~~~~~~
--- a/wagtail/wagtailcore/tests/test_whitelist.py
+++ b/wagtail/wagtailcore/tests/test_whitelist.py
@ -143,3 +143,8 @@ class TestWhitelister(TestCase):
        string = '<b foo="bar">snowman <barbecue>Yorkshire</barbecue></b>'
        cleaned_string = Whitelister.clean(string)
        self.assertEqual(cleaned_string, '<b>snowman Yorkshire</b>')
+
+    def test_clean_comments(self):
+        string = '<b>snowman Yorkshire<!--[if gte mso 10]>MS word junk<![endif]--></b>'
+        cleaned_string = Whitelister.clean(string)
+        self.assertEqual(cleaned_string, '<b>snowman Yorkshire</b>')
--- a/wagtail/wagtailcore/whitelist.py
+++ b/wagtail/wagtailcore/whitelist.py
@ -3,7 +3,7 @@ A generic HTML whitelisting engine, designed to accommodate subclassing to overr
 specific rules.
 """
 import re
-from bs4 import BeautifulSoup, NavigableString, Tag
+from bs4 import BeautifulSoup, NavigableString, Tag, Comment


 ALLOWED_URL_SCHEMES = ['http', 'https', 'ftp', 'mailto', 'tel']
@ -111,7 +111,12 @@ class Whitelister(object):
            cls.clean_unknown_node(doc, node)

    @classmethod
-    def clean_string_node(cls, doc, str):
+    def clean_string_node(cls, doc, node):
+        # Remove comments
+        if isinstance(node, Comment):
+            node.extract()
+            return
+
        # by default, nothing needs to be done to whitelist string nodes
        pass