Lock down the Richtext editor and bleach all user answers

opentech/apply/funds/blocks.py

@@ -39,6 +39,7 @@ class RichTextFieldBlock(TextFieldBlock):
     widget = TinyMCE(mce_attrs={
         'elementpath': False,
         'branding': False,
+        'toolbar1': 'undo redo | styleselect | bold italic | bullist numlist | link'
     })
 
     class Meta:

opentech/apply/funds/models.py

@@ -477,7 +477,7 @@ class ApplicationSubmission(WorkflowHelpers, AbstractFormSubmission):
 
         return super().save(*args, **kwargs)
 
-    def render(self):
+    def render_answers(self):
         context = {'fields': []}
         for field in self.form_fields:
             try:
@@ -494,6 +494,8 @@ class ApplicationSubmission(WorkflowHelpers, AbstractFormSubmission):
                         data = [choices[value] for value in data]
                     except KeyError:
                         data = [choices[int(value)] for value in data]
+                else:
+                    data = str(data)
 
                 context['fields'].append({
                     'field': form_field,

opentech/apply/funds/templates/funds/applicationsubmission_detail.html

@@ -20,7 +20,7 @@
         Email {{ object.email }}
     </div>
     <div>
-        {{ object.render }}
+        {{ object.render_answers }}
     </div>
 </div>
 <div>

opentech/apply/funds/templates/funds/includes/submission_field.html

+{% load bleach_tags %}
 {% for field in fields %}
     <div>
         <h5>{{ field.field.label }}</h5>
@@ -10,7 +11,7 @@
             {% endfor %}
         </div>
         {% else %}
-        <div>{{ field.value }}</div>
+            <div>{{ field.value|bleach }}</div>
         {% endif %}
     </div>
 {% endfor %}

opentech/settings/base.py

@@ -60,6 +60,7 @@ INSTALLED_APPS = [
     'django_filters',
     'django_select2',
     'addressfield',
+    'django_bleach',
 
     'django.contrib.admin',
     'django.contrib.auth',
@@ -318,3 +319,14 @@ SOCIAL_AUTH_PIPELINE = (
     'social_core.pipeline.social_auth.load_extra_data',
     'social_core.pipeline.user.user_details',
 )
+
+# Bleach Settings
+BLEACH_ALLOWED_TAGS = ['h2', 'h3', 'p', 'b', 'i', 'em', 'strong', 'a', 'ul', 'ol', 'li']
+
+BLEACH_ALLOWED_ATTRIBUTES = ['href', 'title', 'style']
+
+BLEACH_ALLOWED_STYLES = ['font-family', 'font-weight', 'text-decoration', 'font-variant']
+
+BLEACH_STRIP_TAGS = True
+
+BLEACH_STRIP_COMMENTS = True

requirements.txt

@@ -2,6 +2,7 @@ Django==1.11.8
 wagtail==1.13.1
 psycopg2==2.7.3.1
 Pillow==4.3.0
+django-bleach==0.3.0
 django-extensions==1.7.4
 django-countries==5.1
 Werkzeug==0.11.11