Replace bleach with nh3

Author: claudep

CHANGES.md

@@ -3,6 +3,8 @@
  - Hotfix for wrong font urls
  - Bump Summernote to 0.8.13
  - Drop support for Python<3.8 and Django<3.2
+ - Replaced (deprecated) bleach sanitation usage with nh3. Note that the
+   styles content sanitation is no longer doable.
 
 0.8.19.0
 --------

README.md

@@ -119,7 +119,11 @@ Last, please don't forget to use `safe` templatetag while displaying in template
 
     {{ foobar|safe }}
 
-__Warning__: Please mind, that the widget does not provide any escaping. If you expose the widget to external users without taking care of this, it could potentially lead to an injection vulnerability. Therefore you can use the SummernoteTextFormField or SummernoteTextField, which escape all harmful tags through mozilla's package bleach:
+__Warning__: Please mind, that the widget does not provide any escaping. If
+you expose the widget to external users without taking care of this, it could
+potentially lead to an injection vulnerability. Therefore you can use the
+SummernoteTextFormField or SummernoteTextField, which escape all harmful tags
+through nh3 package:
 
 In `forms`,
 ```python

django_summernote/fields.py

@@ -1,8 +1,8 @@
 from django.db import models
 from django.forms import fields
 
-import bleach
-from django_summernote.settings import ALLOWED_TAGS, ATTRIBUTES, STYLES
+import nh3
+from django_summernote.settings import ALLOWED_TAGS, ATTRIBUTES
 from django_summernote.widgets import SummernoteWidget
 
 # code based on https://github.com/shaunsephton/django-ckeditor
@@ -15,8 +15,9 @@ def __init__(self, *args, **kwargs):
 
     def to_python(self, value):
         value = super().to_python(value)
-        return bleach.clean(
-            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES, styles=STYLES)
+        return nh3.clean(
+            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES
+        )
 
 
 class SummernoteTextField(models.TextField):
@@ -26,5 +27,6 @@ def formfield(self, **kwargs):
 
     def to_python(self, value):
         value = super().to_python(value)
-        return bleach.clean(
-            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES, styles=STYLES)
+        return nh3.clean(
+            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES
+        )

django_summernote/settings.py

@@ -1,15 +1,11 @@
-ALLOWED_TAGS = [
+ALLOWED_TAGS = {
     'a', 'div', 'p', 'span', 'img', 'em', 'i', 'li', 'ol', 'ul', 'strong', 'br',
     'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
     'table', 'tbody', 'thead', 'tr', 'td',
     'abbr', 'acronym', 'b', 'blockquote', 'code', 'strike', 'u', 'sup', 'sub',
-]
-
-STYLES = [
-    'background-color', 'font-size', 'line-height', 'color', 'font-family'
-]
+}
 
 ATTRIBUTES = {
-    '*': ['style', 'align', 'title', ],
-    'a': ['href', ],
+    '*': {'style', 'align', 'title'},
+    'a': {'href'},
 }

django_summernote/test_django_summernote.py

@@ -88,10 +88,10 @@ class SimpleForm(forms.Form):
         assert url in html
         assert 'id="id_foobar"' in html
 
-        illegal_tags = '<script></script>'
+        illegal_tags = '<unknown>dangerous</unknown>'
         form_field = SummernoteTextFormField()
         cleaned_text = form_field.clean(illegal_tags)
-        self.assertEqual(cleaned_text, '&lt;script&gt;&lt;/script&gt;')
+        self.assertEqual(cleaned_text, 'dangerous')
 
     def test_field(self):
         from django import forms
@@ -112,11 +112,11 @@ class Meta:
         assert url in html
         assert 'id="id_foobar"' in html
 
-        illegal_tags = '<script></script>'
+        illegal_tags = '<unknown>dangerous</unknown>'
         model_field = SummernoteTextField()
         model_instance = SimpleModel1()
         cleaned_text = model_field.clean(illegal_tags, model_instance)
-        self.assertEqual(cleaned_text, '&lt;script&gt;&lt;/script&gt;')
+        self.assertEqual(cleaned_text, 'dangerous')
 
     def test_empty(self):
         from django import forms

django_summernote/test_settings.py

@@ -18,6 +18,8 @@
 MEDIA_URL = '/media/'
 MEDIA_ROOT = 'test_media'
 
+USE_TZ = True
+
 SECRET_KEY = 'django_summernote'
 
 ROOT_URLCONF = 'django_summernote.urls'

requirements.txt

@@ -1,2 +1,2 @@
 django
-bleach
+nh3

setup.py

@@ -38,7 +38,7 @@
     description='Summernote plugin for Django',
     classifiers=CLASSIFIERS,
 
-    install_requires=['django', 'bleach'],
+    install_requires=['django', 'nh3'],
     extras_require={
         'dev': [
             'django-dummy-plug',