remove regex

scidsg · Nov 13, 2024 · e1a7260 · e1a7260
1 parent 3dc535c
commit e1a7260
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 4 deletions.
diff --git a/hushline/settings/__init__.py b/hushline/settings/__init__.py
@@ -1,7 +1,6 @@
 import asyncio
 import base64
 import io
-import re
 from hmac import compare_digest as bytes_are_equal
 from typing import Optional
 
@@ -61,15 +60,13 @@
 
 
 def sanitize_input(input_text: str) -> str:
-    sanitized_text = re.sub(r"<script.*?>.*?</script>", "", input_text, flags=re.DOTALL)
     return clean(
-        sanitized_text,
+        input_text,
         tags=["b", "i", "u", "em", "strong", "p", "br", "a"],
         attributes={"a": ["href"]},
         strip=True,
     )
 
-
 def set_field_attribute(input_field: Field, attribute: str, value: str) -> None:
     if input_field.render_kw is None:
         input_field.render_kw = {}

diff --git a/tests/test_settings.py b/tests/test_settings.py
@@ -666,3 +666,27 @@ def test_update_brand_logo(client: FlaskClient, admin: User) -> None:
     resp = client.get(logo_url, follow_redirects=True)
     # yes this check is ridiculous. why? because we redirect not-founds instead of actually 404-ing
     assert "That page doesn" in resp.text
+
+
+def test_sanitize_input():
+    # Disallowed script tag should be removed
+    input_text = 'Hello <script>alert("malicious")</script> World!'
+    sanitized_text = sanitize_input(input_text)
+    assert '<script>' not in sanitized_text
+    assert sanitized_text == 'Hello  World!'
+
+    # Allowed tags should be retained
+    input_text = 'Welcome <b>bold</b> and <i>italic</i> text with <a href="https://example.com">link</a>.'
+    sanitized_text = sanitize_input(input_text)
+    assert sanitized_text == 'Welcome <b>bold</b> and <i>italic</i> text with <a href="https://example.com">link</a>.'
+
+    # Disallowed attributes should be stripped
+    input_text = 'Click <a href="https://example.com" onclick="malicious()">here</a>'
+    sanitized_text = sanitize_input(input_text)
+    assert 'onclick' not in sanitized_text
+    assert sanitized_text == 'Click <a href="https://example.com">here</a>'
+
+    # Disallowed tags should be stripped
+    input_text = 'This is a <div>test</div>.'
+    sanitized_text = sanitize_input(input_text)
+    assert sanitized_text == 'This is a test.'