From 79abc84905b76be5d593d45d0081e23ad444b49d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Ml=C3=A1dek?= <t@mldk.cz>
Date: Sat, 19 Dec 2020 17:01:20 +0100
Subject: [PATCH] fix sanitization; allow markdown in tag descriptions also

---
 sdbs_pile/pile/models.py                        | 13 +++++++++++--
 sdbs_pile/pile/templates/front_doc_listing.html |  2 +-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/sdbs_pile/pile/models.py b/sdbs_pile/pile/models.py
index b4bb946..d7033df 100644
--- a/sdbs_pile/pile/models.py
+++ b/sdbs_pile/pile/models.py
@@ -1,6 +1,5 @@
 import bleach
 import markdown2
-from django.core.exceptions import ValidationError
 from django.core.files.storage import FileSystemStorage
 from django.db import models
 from django.db.models import Count, Q
@@ -8,11 +7,21 @@ from model_utils.managers import SoftDeletableManager, SoftDeletableQuerySet
 from model_utils.models import SoftDeletableModel
 from ordered_model.models import OrderedModel
 
+BLEACH_ALLOWED_TAGS = bleach.sanitizer.ALLOWED_TAGS + ['p', 'br', 'h1', 'h2', 'h3']
+
 
 class Tag(SoftDeletableModel):
     name = models.CharField(max_length=128, null=False, blank=False)
     description = models.TextField(null=False, blank=True)
 
+    @property
+    def html_description(self):
+        return bleach.clean(bleach.linkify(markdown2.markdown(self.description)), tags=BLEACH_ALLOWED_TAGS)
+
+    @property
+    def plain_description(self):
+        return bleach.clean(self.html_description, tags=[], strip=True)
+
     def __str__(self):
         return self.name
 
@@ -63,7 +72,7 @@ class Document(SoftDeletableModel):
 
     @property
     def html_description(self):
-        return bleach.linkify(markdown2.markdown(self.description))
+        return bleach.clean(bleach.linkify(markdown2.markdown(self.description)), tags=BLEACH_ALLOWED_TAGS)
 
     @property
     def plain_description(self):
diff --git a/sdbs_pile/pile/templates/front_doc_listing.html b/sdbs_pile/pile/templates/front_doc_listing.html
index 67692d8..8626d2a 100644
--- a/sdbs_pile/pile/templates/front_doc_listing.html
+++ b/sdbs_pile/pile/templates/front_doc_listing.html
@@ -14,7 +14,7 @@
     {% if tag %}
         <div class="text tag-text">
             <h1>{{ tag.name }}</h1>
-            <p class="tag-desc">{{ tag.description }}</p>
+            <div class="tag-desc">{{ tag.html_description|safe }}</div>
         </div>
     {% endif %}