def _sanitize_content(self): """Sanitize HTML and Email in field values. Used to prevent XSS. - Ignore if 'Ignore XSS Filter' is checked or fieldtype is 'Code' """ if frappe.flags.in_install: return for fieldname, value in self.get_valid_dict().items(): if not value or not isinstance(value, basestring): continue elif ("<" not in value and ">" not in value): # doesn't look like html so no need continue elif "<!-- markdown -->" in value and not ("<script" in value or "javascript:" in value): # should be handled separately via the markdown converter function continue df = self.meta.get_field(fieldname) sanitized_value = value if df and (df.get("ignore_xss_filter") or (df.get("fieldtype")=="Code" and df.get("options")!="Email") or df.get("fieldtype") in ("Attach", "Attach Image")): continue elif df and df.get("fieldtype") in ("Data", "Code") and df.get("options")=="Email": sanitized_value = sanitize_email(value) else: sanitized_value = sanitize_html(value) self.set(fieldname, sanitized_value)
def _sanitize_content(self): """Sanitize HTML and Email in field values. Used to prevent XSS. - Ignore if 'Ignore XSS Filter' is checked or fieldtype is 'Code' """ if frappe.flags.in_install: return for fieldname, value in self.get_valid_dict().items(): if not value or not isinstance(value, string_types): continue value = frappe.as_unicode(value) if (u"<" not in value and u">" not in value): # doesn't look like html so no need continue elif "<!-- markdown -->" in value and not ("<script" in value or "javascript:" in value): # should be handled separately via the markdown converter function continue df = self.meta.get_field(fieldname) sanitized_value = value if df and df.get("fieldtype") in ( "Data", "Code", "Small Text") and df.get("options") == "Email": sanitized_value = sanitize_email(value) elif df and ( df.get("ignore_xss_filter") or (df.get("fieldtype") == "Code" and df.get("options") != "Email") or df.get("fieldtype") in ("Attach", "Attach Image") # cancelled and submit but not update after submit should be ignored or self.docstatus == 2 or (self.docstatus == 1 and not df.get("allow_on_submit"))): continue else: sanitized_value = sanitize_html( value, linkify=df.fieldtype == 'Text Editor') self.set(fieldname, sanitized_value)
def _sanitize_content(self): """Sanitize HTML and Email in field values. Used to prevent XSS. - Ignore if 'Ignore XSS Filter' is checked or fieldtype is 'Code' """ if frappe.flags.in_install: return for fieldname, value in self.get_valid_dict().items(): if not value or not isinstance(value, string_types): continue value = frappe.as_unicode(value) if (u"<" not in value and u">" not in value): # doesn't look like html so no need continue elif "<!-- markdown -->" in value and not ("<script" in value or "javascript:" in value): # should be handled separately via the markdown converter function continue df = self.meta.get_field(fieldname) sanitized_value = value if df and df.get("fieldtype") in ("Data", "Code", "Small Text") and df.get("options")=="Email": sanitized_value = sanitize_email(value) elif df and (df.get("ignore_xss_filter") or (df.get("fieldtype")=="Code" and df.get("options")!="Email") or df.get("fieldtype") in ("Attach", "Attach Image") # cancelled and submit but not update after submit should be ignored or self.docstatus==2 or (self.docstatus==1 and not df.get("allow_on_submit"))): continue else: sanitized_value = sanitize_html(value, linkify=df.fieldtype=='Text Editor') self.set(fieldname, sanitized_value)