From 34ae1c3fd48edb0c1325f054fe4c10a98a480037 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Tue, 9 Jul 2019 09:28:40 +0200
Subject: [PATCH] Sanitizing (with bleach) output before diffing revisions.
 Only allowing h4, br and p tags.

---
 opentech/apply/funds/differ.py                              | 6 +++---
 .../funds/templates/funds/applicationrevision_list.html     | 2 +-
 opentech/apply/funds/views.py                               | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/opentech/apply/funds/differ.py b/opentech/apply/funds/differ.py
index 8b2c855ff..f99cb7f7b 100644
--- a/opentech/apply/funds/differ.py
+++ b/opentech/apply/funds/differ.py
@@ -29,16 +29,16 @@ def compare(answer_a, answer_b, should_bleach=True):
 
     if should_bleach:
         if isinstance(answer_a, str):
-            answer_a = bleach.clean(answer_a)
+            answer_a = bleach.clean(answer_a, tags=['section', 'h4', 'p', 'br'], attributes={}, strip=True)
         else:
             answer_a = str(answer_a)
 
         if isinstance(answer_b, str):
-            answer_b = bleach.clean(answer_b)
+            answer_b = bleach.clean(answer_b, tags=['section', 'h4', 'p', 'br'], attributes={}, strip=True)
         else:
             answer_b = str(answer_b)
 
-    diff = SequenceMatcher(lambda x: '\n' in x, answer_a, answer_b)
+    diff = SequenceMatcher(lambda x: '\n\r' in x, answer_a, answer_b)
     output = []
     added = []
     deleted = []
diff --git a/opentech/apply/funds/templates/funds/applicationrevision_list.html b/opentech/apply/funds/templates/funds/applicationrevision_list.html
index d9dd2c55d..e39d7b0f7 100644
--- a/opentech/apply/funds/templates/funds/applicationrevision_list.html
+++ b/opentech/apply/funds/templates/funds/applicationrevision_list.html
@@ -14,7 +14,7 @@
         {% for revision in object_list %}
             <li class="revision__item">
                 <p class="revision__meta">
-                    <span class="revision__date">{{ revision.timestamp|date:"m.d.y h:iA e"}} </span>
+                    <span class="revision__date">{{ revision.timestamp|date:"Y-m-d H:i e"}} </span>
                     by {{ revision.author }}
                     {% if forloop.first %}
                         <span class="revision__current">- current</span>
diff --git a/opentech/apply/funds/views.py b/opentech/apply/funds/views.py
index 11abacbb2..1d480247e 100644
--- a/opentech/apply/funds/views.py
+++ b/opentech/apply/funds/views.py
@@ -809,7 +809,7 @@ class RevisionCompareView(DetailView):
 
         # Compare all the answers
         diffed_text_fields_answers = [
-            compare(*fields, should_bleach=False)
+            compare(*fields, should_bleach=True)
             for fields in zip(from_rendered_text_fields, to_rendered_text_fields)
         ]
 
-- 
GitLab