Add a note on security

parisk · parisk · commit 3e7e1f03061d · 2022-04-12T17:52:43.000+03:00
diff --git a/README.md b/README.md
@@ -54,6 +54,12 @@ class Article(models.Model):
     excerpt = RichTextField()
 ```
 
+Then you can display the article excerpt in your HTML templates by marking it as [`safe`](https://docs.djangoproject.com/en/4.0/ref/templates/builtins/#safe)
+
+```django
+<div class="article-excerpt">{{ article.excerpt | safe}}</div>
+```
+
 ### Large rich-text information
 
 In case you want to store large rich-text information, like the content of an article, which can span to quite a few thousand characters, we suggest you use the `AbstractDocument` model. This will save large rich-text information in a separate database table, which is better for performance. Example:
@@ -71,6 +77,12 @@ class Article(models.Model):
     body = models.OneToOneField(ArticleContent, on_delete=models.CASCADE)
 ```
 
+Similarly here you can display the article's body by marking it as `safe`
+
+```django
+<div class="article-body">{{ article.body.content | safe}}</div>
+```
+
 ### Attachments
 
 Django Prose can also handle uploading attachments with drag and drop. To set this up, first you need to:
@@ -79,6 +91,15 @@ Django Prose can also handle uploading attachments with drag and drop. To set th
 - [x] Include the Django Prose URLs (example in [`prose_example/prose_example/urls.py`](https://github.com/withlogicco/django-prose/blob/9073d713f8d3febe5c50705976dbb31063270886/prose_example/prose_example/urls.py#L9-L10))
 - [x] (Optional) Set up a different Django storage to store your files (e.g. S3)
 
+## 🔒 A note on security
+
+As you can see in the examples above, what Django Prose does is provide you with a user friendly editor ([Trix](https://trix-editor.org/)) for your rich text content and then store it as HTML in your database. Since you will mark this HTML as safe in order to use it in your templates, it needs to be **sanitised**, before it gets stored in the database.
+
+For this reason Django Prose is using [Bleach](https://bleach.readthedocs.io/en/latest/) to only allow the following tags and attributes:
+
+- **Allowed tags**: `p`, `ul`, `ol`, `li`, `strong`, `em`, `div`, `span`, `a`, `blockquote`, `pre`, `figure`, `figcaption`, `br`, `code`, `h1`, `h2`, `h3`, `h4`, `h5`, `h6`, `picture`, `source`, `img`
+- **Allowed attributes**: `alt`, `class`, `id`, `src`, `srcset`, `href`, `media`
+
 ## Screenshots
 
 ### Django Prose Documents in Django Admin
diff --git a/prose/fields.py b/prose/fields.py
@@ -9,7 +9,7 @@
     "p", "ul", "ol", "li", "strong", "em", "div", "span", "a",
     "blockquote", "pre", "figure", "figcaption", "br", "code",
     "h1", "h2", "h3", "h4", "h5", "h6",
-    "picture", "source", "img,"
+    "picture", "source", "img",
 ]
 ALLOWED_ATTRIBUTES = [
     "alt", "class", "id", "src", "srcset", "href", "media",

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`"p", "ul", "ol", "li", "strong", "em", "div", "span", "a",`
`10`	`10`	`"blockquote", "pre", "figure", "figcaption", "br", "code",`
`11`	`11`	`"h1", "h2", "h3", "h4", "h5", "h6",`
`12`		`- "picture", "source", "img,"`
	`12`	`+ "picture", "source", "img",`
`13`	`13`	`]`
`14`	`14`	`ALLOWED_ATTRIBUTES = [`
`15`	`15`	`"alt", "class", "id", "src", "srcset", "href", "media",`