Sanitize html (e.g. removing script tags)

Author: de-code

data_hub_api/docmaps/v2/provider.py

@@ -5,6 +5,7 @@
 from time import monotonic
 from typing import Iterable, Optional, Sequence, cast
 
+import nh3
 import objsize
 from data_hub_api.docmaps.v2.codecs.docmaps import get_docmap_item_for_query_result_item
 from data_hub_api.docmaps.v2.api_input_typing import ApiInput
@@ -26,7 +27,9 @@
 def get_html_formatted_evaluation_content(
     evaluation_content: str
 ) -> str:
-    return markdown(evaluation_content)
+    html = markdown(evaluation_content)
+    sanitized_html = nh3.clean(html, link_rel=None)
+    return sanitized_html
 
 
 class DocmapsProvider:

requirements.txt

@@ -3,6 +3,7 @@ objsize==0.8.0
 uvicorn[standard]==0.39.0
 google-cloud-bigquery==3.40.1
 Markdown==3.9
+nh3==0.3.3
 pandas==2.3.3
 numpy==2.0.2
 types-python-dateutil

tests/unit_tests/docmaps/v2/provider_test.py

@@ -52,6 +52,11 @@ def test_should_convert_markdown_link_to_html_link(self):
             '[link text](https://www.example.com)'
         ) == '<p><a href="https://www.example.com">link text</a></p>'
 
+    def test_should_remove_script_tags_from_markdown(self):
+        assert get_html_formatted_evaluation_content(
+            'cleaned <script>var bad = true;</script> html'
+        ) == '<p>cleaned  html</p>'
+
 
 class TestDocmapsProvider:
     def test_should_create_index_with_non_empty_docmaps(