Merge branch 'master' of https://github.com/OpenBazaar/OpenBazaar-Server

cpacia · cpacia · commit 8abe141132f9 · 2016-04-21T18:01:11.000-04:00
diff --git a/api/restapi.py b/api/restapi.py
@@ -28,6 +28,7 @@
 from market.btcprice import BtcPrice
 from net.upnp import PortMapper
 from api import ALLOWED_TAGS, ALLOWED_ATTRIBUTES, ALLOWED_STYLES
+from api.utils import sanitize_html
 
 DEFAULT_RECORDS_COUNT = 20
 DEFAULT_RECORDS_OFFSET = 0
@@ -494,7 +495,7 @@ def get_contract(self, request):
         def parse_contract(contract):
             if contract is not None:
                 request.setHeader('content-type', "application/json")
-                request.write(bleach.clean(json.dumps(contract, indent=4), tags=ALLOWED_TAGS).encode("utf-8"))
+                request.write(json.dumps(sanitize_html(contract), indent=4))
                 request.finish()
             else:
                 request.write(json.dumps({}))
diff --git a/api/utils.py b/api/utils.py
@@ -1,3 +1,7 @@
+import bleach
+
+from api import ALLOWED_TAGS, ALLOWED_ATTRIBUTES, ALLOWED_STYLES
+
 # pylint: disable=W1402
 def smart_unicode(s, encoding='utf8'):
     """ Convert str to unicode. If s is unicode, return itself.
@@ -33,3 +37,13 @@ def smart_str(s, encoding='utf8'):
     if isinstance(s, str):
         return s
     return s.encode(encoding)
+
+def sanitize_html(value):
+    """ Recursively sanitize all strings within a data structure. """
+    if isinstance(value, dict):
+        value = {k:sanitize_html(v) for k, v in value.iteritems()}
+    elif isinstance(value, list):
+        value = [sanitize_html(v) for v in value]
+    elif isinstance(value, basestring):
+        value = bleach.clean(value, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES, styles=ALLOWED_STYLES)
+    return value
