fix(schema): take the list of allowed tags and attrs from the app config

max-moser · max-moser · commit 9b9e0201d896 · 2026-01-12T16:13:05.000+01:00
* previously, the list of allowed HTML tags and attributes was taken
  from a hard-coded definition
diff --git a/invenio_rdm_records/resources/deserializers/rocrate/schema.py b/invenio_rdm_records/resources/deserializers/rocrate/schema.py
@@ -10,7 +10,9 @@
 
 from invenio_i18n import lazy_gettext as _
 from marshmallow import EXCLUDE, Schema, ValidationError, fields, pre_load, validate
-from marshmallow_utils.fields import SanitizedHTML, SanitizedUnicode
+from marshmallow_utils.fields import SanitizedUnicode
+
+from ....services.schemas.fields import SanitizedHTML
 
 
 def _list_value(lst):
diff --git a/invenio_rdm_records/resources/serializers/cff/schema.py b/invenio_rdm_records/resources/serializers/cff/schema.py
@@ -10,7 +10,9 @@
 from flask_resources.serializers import BaseSerializerSchema
 from invenio_i18n import lazy_gettext as _
 from marshmallow import ValidationError, fields, missing
-from marshmallow_utils.fields import SanitizedHTML, SanitizedUnicode
+from marshmallow_utils.fields import SanitizedUnicode
+
+from ....services.schemas.fields import SanitizedHTML
 
 
 def _serialize_person(person):
diff --git a/invenio_rdm_records/resources/serializers/schemaorg/schema.py b/invenio_rdm_records/resources/serializers/schemaorg/schema.py
@@ -20,9 +20,10 @@
 from idutils import to_url
 from invenio_i18n import lazy_gettext as _
 from marshmallow import Schema, ValidationError, fields, missing
-from marshmallow_utils.fields import SanitizedHTML, SanitizedUnicode
+from marshmallow_utils.fields import SanitizedUnicode
 from pydash import py_
 
+from ....services.schemas.fields import SanitizedHTML
 from ..schemas import CommonFieldsMixin
 from ..utils import convert_size, get_vocabulary_props
 
diff --git a/invenio_rdm_records/resources/serializers/ui/schema.py b/invenio_rdm_records/resources/serializers/ui/schema.py
@@ -33,8 +33,8 @@
 from marshmallow_utils.fields.babel import gettext_from_dict
 from pyparsing import ParseException
 
-from invenio_rdm_records.services.request_policies import RDMRecordDeletionPolicy
-
+from ....services.request_policies import RDMRecordDeletionPolicy
+from ....services.schemas.fields import SanitizedHTML
 from .fields import AccessStatusField
 
 
diff --git a/invenio_rdm_records/services/schemas/fields.py b/invenio_rdm_records/services/schemas/fields.py
@@ -0,0 +1,52 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2025 TU Wien.
+#
+# Invenio-RDM-Records is free software; you can redistribute it and/or modify
+# it under the terms of the MIT License; see LICENSE file for more details.
+
+"""Marshmallow field definitions."""
+
+
+from flask import current_app
+from marshmallow_utils.fields import SanitizedHTML as SanitizedHTMLBase
+
+
+class SanitizedHTML(SanitizedHTMLBase):
+    """String field that sanitizes HTML tags with the ``bleach`` library.
+
+    In contrast to the base class, this field takes the Flask application's
+    configuration into account.
+    """
+
+    @property
+    def tags(self):
+        """Get the list of allowed HTML tags.
+
+        If no application context is available, use the field's set value as fallback.
+        """
+        try:
+            return current_app.config["ALLOWED_HTML_TAGS"]
+        except RuntimeError:
+            return self._tags
+
+    @tags.setter
+    def tags(self, value):
+        """Set the field's fallback value for allowed HTML tags."""
+        self._tags = value
+
+    @property
+    def attrs(self):
+        """Get the dictionary for allowed attributes per HTML tag.
+
+        If no application context is available, use the field's set value as fallback.
+        """
+        try:
+            return current_app.config["ALLOWED_HTML_ATTRS"]
+        except RuntimeError:
+            return self._attrs
+
+    @attrs.setter
+    def attrs(self, value):
+        """Set the field's fallback value for allowed HTML attributes."""
+        self._attrs = value
diff --git a/invenio_rdm_records/services/schemas/metadata.py b/invenio_rdm_records/services/schemas/metadata.py
@@ -35,12 +35,13 @@
     EDTFDateTimeString,
     IdentifierSet,
     IdentifierValueSet,
-    SanitizedHTML,
     SanitizedUnicode,
 )
 from marshmallow_utils.schemas import GeometryObjectSchema, IdentifierSchema
 from werkzeug.local import LocalProxy
 
+from .fields import SanitizedHTML
+
 record_personorg_schemes = LocalProxy(
     lambda: current_app.config["RDM_RECORDS_PERSONORG_SCHEMES"]
 )
diff --git a/invenio_rdm_records/services/schemas/parent/access.py b/invenio_rdm_records/services/schemas/parent/access.py
@@ -17,12 +17,13 @@
 from marshmallow.validate import OneOf
 from marshmallow_utils.fields import (
     ISODateString,
-    SanitizedHTML,
     SanitizedUnicode,
     TZDateTime,
 )
 from marshmallow_utils.permissions import FieldPermissionsMixin
 
+from ..fields import SanitizedHTML
+
 
 class GrantSubject(Schema):
     """Schema for a grant subject."""
diff --git a/invenio_rdm_records/services/schemas/record.py b/invenio_rdm_records/services/schemas/record.py
@@ -21,13 +21,13 @@
 from marshmallow_utils.fields import (
     EDTFDateTimeString,
     NestedAttribute,
-    SanitizedHTML,
     SanitizedUnicode,
     TZDateTime,
 )
 from marshmallow_utils.permissions import FieldPermissionsMixin
 
 from .access import AccessSchema
+from .fields import SanitizedHTML
 from .files import FilesSchema
 from .metadata import MetadataSchema
 from .parent import RDMParentSchema

Original file line number	Diff line number	Diff line change
`@@ -35,12 +35,13 @@`
`35`	`35`	`EDTFDateTimeString,`
`36`	`36`	`IdentifierSet,`
`37`	`37`	`IdentifierValueSet,`
`38`		`- SanitizedHTML,`
`39`	`38`	`SanitizedUnicode,`
`40`	`39`	`)`
`41`	`40`	`from marshmallow_utils.schemas import GeometryObjectSchema, IdentifierSchema`
`42`	`41`	`from werkzeug.local import LocalProxy`
`43`	`42`
	`43`	`+from .fields import SanitizedHTML`
	`44`	`+`
`44`	`45`	`record_personorg_schemes = LocalProxy(`
`45`	`46`	`lambda: current_app.config["RDM_RECORDS_PERSONORG_SCHEMES"]`
`46`	`47`	`)`