anoopmb
/
frappe
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Procházet zdrojové kódy

Merge pull request #16523 from netchampfaris/fix-blog-comments 

fix: strip html from blog comments to prevent spam
version-14
Faris Ansari před 3 roky
committed by GitHub
rodič
698d75193c ae335f5e1c
revize
ff8231da9c
V databázi nebyl nalezen žádný známý klíč pro tento podpis ID GPG klíče: 4AEE18F83AFDEB23
2 změnil soubory, kde provedl 38 přidání a 6 odebrání
Rozdělené zobrazení
Diff Options
Zobrazit statistiky Stáhněte soubor opravy Stáhněte rozdílový soubor
  1. +10
    -6
      frappe/templates/includes/comments/comment.html
  2. +28
    -0
      frappe/website/doctype/blog_post/test_blog_post.py

+ 10
- 6
frappe/templates/includes/comments/comment.html Zobrazit soubor

@@ -1,14 +1,18 @@
{% from "frappe/templates/includes/avatar_macro.html" import avatar %}

<div class="comment-row media my-5">
<div class="my-5 comment-row media">
<div class="comment-avatar">
{{ avatar(user_id=(comment.comment_email or comment.sender), size='avatar-medium') }}
{{ avatar(user_id=(frappe.utils.strip_html(comment.comment_email or comment.sender)), size='avatar-medium') }}
</div>
<div class="comment-content">
<div class="head mb-2">
<span class="title font-weight-bold mr-2">{{ comment.sender_full_name or comment.comment_by }}</span>
<span class="time small text-muted">{{ frappe.utils.pretty_date(comment.creation) }}</span>
<div class="mb-2 head">
<span class="mr-2 title font-weight-bold">
{{ frappe.utils.strip_html(comment.sender_full_name or comment.comment_by) | e }}
</span>
<span class="time small text-muted">
{{ frappe.utils.pretty_date(comment.creation) }}
</span>
</div>
<div class="content">{{ comment.content | markdown }}</div>
<div class="content">{{ frappe.utils.strip_html(comment.content) | markdown }}</div>
</div>
</div>

+ 28
- 0
frappe/website/doctype/blog_post/test_blog_post.py Zobrazit soubor

@@ -117,6 +117,34 @@ class TestBlogPost(unittest.TestCase):

frappe.flags.force_website_cache = True

def test_spam_comments(self):
# Make a temporary Blog Post (and a Blog Category)
blog = make_test_blog('Test Spam Comment')

# Create a spam comment
frappe.get_doc(
doctype="Comment",
comment_type="Comment",
reference_doctype="Blog Post",
reference_name=blog.name,
comment_email="<a href=\"https://example.com/spam/\">spam</a>",
comment_by="<a href=\"https://example.com/spam/\">spam</a>",
published=1,
content="More spam content. <a href=\"https://example.com/spam/\">spam</a> with link.",
).insert()

# Visit the blog post page
set_request(path=blog.route)
blog_page_response = get_response()
blog_page_html = frappe.safe_decode(blog_page_response.get_data())

self.assertNotIn('<a href="https://example.com/spam/">spam</a>', blog_page_html)
self.assertIn("More spam content. spam with link.", blog_page_html)

# Cleanup
frappe.delete_doc("Blog Post", blog.name)
frappe.delete_doc("Blog Category", blog.blog_category)

def scrub(text):
return WebsiteGenerator.scrub(None, text)



Zapsat Náhled
Načítá se…
Zrušit
Uložit