Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
from django.db.models.signals import post_save, post_delete
from django.dispatch import receiver
from django.utils.encoding import smart_str, force_unicode
from django.utils.importlib import import_module
from django.utils.timezone import now
from django.utils.translation import ugettext_lazy as _
from model_utils import Choices
from model_utils.fields import AutoCreatedField, AutoLastModifiedField
from model_utils.models import TimeStampedModel
from crate.web.packages.evaluators import ReleaseEvaluator
from crate.web.packages.utils import verlib
from crate.web.packages.utils.datatools import track_data
ALLOWED_TAGS = bleach.ALLOWED_TAGS + [
"br", "img", "span", "div", "pre", "p",
"dl", "dd", "dt", "tt", "cite",
"h1", "h2", "h3", "h4", "h5", "h6",
"table", "col", "tr", "td", "th", "tbody", "thead",
"colgroup",
]
ALLOWED_ATTRIBUTES = dict(bleach.ALLOWED_ATTRIBUTES.items())
ALLOWED_ATTRIBUTES.update({
"img": ["src"],
"span": ["class"],
})
# Get the Storage Engine for Packages
if getattr(settings, "PACKAGE_FILE_STORAGE", None):
mod_name, engine_name = settings.PACKAGE_FILE_STORAGE.rsplit(".", 1)
import pickle
import re
from xml.sax import saxutils
from flask import current_app
from redis import StrictRedis
import bleach
import requests
redis = StrictRedis()
bleach.ALLOWED_TAGS += [
'a', 'img', 'p', 'br', 'marquee', 'blink',
'audio', 'video', 'source', 'table', 'tbody', 'td', 'tr', 'div', 'span',
'pre', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
]
bleach.ALLOWED_ATTRIBUTES.update({
'img': ['src', 'alt', 'title'],
'audio': ['preload', 'controls', 'src'],
'video': ['preload', 'controls', 'src', 'poster'],
'source': ['type', 'src'],
'td': ['colspan'],
})
USER_AGENT = 'Woodwind (https://github.com/kylewm/woodwind)'
bleach_v[idx] = val
attrs = bleach.ALLOWED_ATTRIBUTES.copy()
attrs['table'] = ['class']
attrs['span'] = ['class', 'id']
attrs['div'] = ['class']
attrs['td'] = ['align']
attrs['th'] = ['align']
if not ignore or 'img' not in ignore:
# newer bleach need three args for attribute callable
if tuple(bleach_v) >= (2, 0, 0): # pragma: no cover
attrs['img'] = lambda tag, name, val: filter_img_src(name, val)
else:
attrs['img'] = filter_img_src
tags = bleach.ALLOWED_TAGS + [
'p', 'br', 'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'table', 'td', 'tr', 'th', 'thead', 'tbody',
'col', 'pre', 'img', 'hr', 'dl', 'dt', 'dd', 'span',
'kbd', 'var', 'del', 'cite',
]
if ignore:
for tag in ignore:
if tag in tags:
tags.remove(tag)
kwargs = {
'tags': tags,
'attributes': attrs
}
# newer bleach allow to customize the protocol supported
@property
def description_bleached(self):
return bleach.clean(self.description, tags = bleach.ALLOWED_TAGS + ['p', 'h4', 'h5', 'h3', 'h2', 'br', 'u'])
if r.endswith(settings.EMAIL_SUFFIX):
gus_recip.append(r[:-len(settings.EMAIL_SUFFIX)])
recip = [r for r in recip if r not in gus_recip]
try:
date = parse(re.search('date:([^\n]*)\n',
v['BODY[HEADER]'], re.I).group(1).strip())
t = date.utcoffset()
date = date.replace(tzinfo=None) - t
except Exception, e:
logging.debug(e)
date = None
# store the email in the DB
em = DBEmail()
em.fill(v['BODY[HEADER]'], bleach.clean(v['BODY[TEXT]'], tags=bleach.ALLOWED_TAGS+["p", "h1", "h2", "h3", "h4", "h5", "h6"]), date,
message.from_email, recip, gus_recip)
# now delete from server
server.add_flags(k, ['\Deleted'])
server.logout()
import re
import bleach
from django.conf import settings
from django.utils.six.moves.urllib.parse import urlparse, urlunparse
from django.utils.translation import ugettext_lazy as _
ALLOWED_TAGS = bleach.ALLOWED_TAGS + [
'div', 'span', 'p', 'br', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'pre', 'code', 'cite',
'dl', 'dt', 'dd', 'small', 'sub', 'sup', 'u', 'strike', 'samp', 'abbr',
'ul', 'ol', 'li',
'nobr', 'dfn', 'caption', 'var', 's',
'i', 'img', 'hr',
'input', 'label', 'select', 'option', 'textarea',
# Note:
import re
import bleach
from django.conf import settings
from django.utils.six.moves.urllib.parse import urlparse, urlunparse
from django.utils.translation import ugettext_lazy as _
ALLOWED_TAGS = bleach.ALLOWED_TAGS + [
'div', 'span', 'p', 'br', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'pre', 'code', 'cite',
'dl', 'dt', 'dd', 'small', 'sub', 'sup', 'u', 'strike', 'samp', 'abbr',
'ul', 'ol', 'li',
'nobr', 'dfn', 'caption', 'var', 's',
'i', 'img', 'hr',
'input', 'label', 'select', 'option', 'textarea',
# Note:
class AbstractMongoRecord(object):
"""
AbstractMongoRecord - superclass of classes representing mongo records.
"collection" attribute is set on subclass
"""
collection = None # name of MongoDB collection
id_field = "_id" # Mongo ID field
criteria_field = "_id" # Primary ID used to find existing records
criteria_override_field = None # If a record type uses a different primary key (such as 'title' for Index records), and the presence of an override field in a save indicates that the primary attribute is changing ("oldTitle" in Index records) then this class attribute has that override field name used.
required_attrs = [] # list of names of required attributes
optional_attrs = [] # list of names of optional attributes
track_pkeys = False
pkeys = [] # list of fields that others may depend on
history_noun = None # Label for history records
ALLOWED_TAGS = bleach.ALLOWED_TAGS + ["p", "br"] # not sure why p/br isn't included. dont see any security risks
ALLOWED_ATTRS = bleach.ALLOWED_ATTRIBUTES
def __init__(self, attrs=None):
if attrs is None:
attrs = {}
self._init_defaults()
self.pkeys_orig_values = {}
self.load_from_dict(attrs, True)
def load_by_id(self, _id=None):
if _id is None:
raise Exception(type(self).__name__ + ".load() expects an _id as an argument. None provided.")
if isinstance(_id, basestring):
# allow _id as either string or ObjectId
_id = ObjectId(_id)
import jinja2
from babel import localedata
from babel.dates import format_date, format_time, format_datetime
from babel.numbers import format_decimal
from django_jinja import library
from jinja2.utils import Markup
from pytz import timezone
from kitsune.sumo import parser
from kitsune.sumo.urlresolvers import reverse
from kitsune.users.models import Profile
from kitsune.products.models import Product
from kitsune.wiki.showfor import showfor_data as _showfor_data
ALLOWED_BIO_TAGS = bleach.ALLOWED_TAGS + ['p']
ALLOWED_BIO_ATTRIBUTES = bleach.ALLOWED_ATTRIBUTES.copy()
# allow rel="nofollow"
ALLOWED_BIO_ATTRIBUTES['a'].append('rel')
log = logging.getLogger('k.helpers')
class DateTimeFormatError(Exception):
"""Called by the datetimeformat function when receiving invalid format."""
pass
@library.filter
def paginator(pager):
"""Render list of pages."""
return Paginator(pager).render()
def clean_input(text, ignore=None):
""" For a given html text, escape everything we do not want to support
to avoid potential security breach.
"""
if ignore and not isinstance(ignore, (tuple, set, list)):
ignore = [ignore]
attrs = bleach.ALLOWED_ATTRIBUTES.copy()
attrs['table'] = ['class']
attrs['span'] = ['class', 'id']
attrs['div'] = ['class']
if not ignore or 'img' not in ignore:
attrs['img'] = filter_img_src
tags = bleach.ALLOWED_TAGS + [
'p', 'br', 'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'table', 'td', 'tr', 'th', 'thead', 'tbody',
'col', 'pre', 'img', 'hr', 'dl', 'dt', 'dd', 'span',
'kbd', 'var', 'del', 'cite',
]
if ignore:
for tag in ignore:
if tag in tags:
tags.remove(tag)
kwargs = {
'tags': tags,
'attributes': attrs
}
# newer bleach allow to customize the protocol supported