Added: strip <a> tags in form input (#341)

signebedi · Sep 17, 2024 · a5d5e97 · a5d5e97
1 parent c4d9b2b
commit a5d5e97
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/libreforms_fastapi/utils/docs.py b/libreforms_fastapi/utils/docs.py
@@ -25,7 +25,23 @@
 
 sanitizer = Sanitizer(sanitizer_config)
 
-low_trust_sanitizer = Sanitizer()
+
+strict_sanitizer_config = {
+    # 'tags': {'a', 'br', 'p', 'strong', 'em', 'ul', 'ol', 'li', 'b', 'i', 'u'},  # Basic formatting tags
+    'tags': {'br', 'p', 'strong', 'em', 'ul', 'ol', 'li', 'b', 'i', 'u'},  # No <a> allowed
+    # 'attributes': {
+    #     'a': ['href', 'title'],  # Allow only href and title for links, avoiding JavaScript URLs
+    # },
+    'attributes': {}, # No <a> allowed
+    'empty': {'br'},  # Only inherently empty tags
+    # 'separate': {'a', 'p', 'ul', 'ol', 'li', 'br'},  # Prevent nested misuse
+    'separate': {'p', 'ul', 'ol', 'li', 'br'},  # No <a> allowed
+    # 'protocols': {'a': ['http', 'https', 'mailto']},  # Allowed protocols to prevent JavaScript injections
+    'protocols': {},  # No <a> allowed
+    'unescape_special_chars': False  # Disable unescaping special chars to prevent XSS attacks
+}
+
+strict_trust_sanitizer = Sanitizer(strict_sanitizer_config)
 
 class UnsafeHtmlContentError(Exception):
     """Custom exception for unsafe HTML content."""

diff --git a/libreforms_fastapi/utils/document_database.py b/libreforms_fastapi/utils/document_database.py
@@ -24,7 +24,7 @@
 from libreforms_fastapi.utils.certificates import sign_record, verify_record_signature
 
 # This import is used to sanitize data
-from libreforms_fastapi.utils.docs import low_trust_sanitizer as sanitizer
+from libreforms_fastapi.utils.docs import strict_trust_sanitizer as sanitizer
 
 
 # Mapping of string operators to actual functions, used as query parameters