From 7bd18022767cde25fea4620196bb7f7fc7b0fe2f Mon Sep 17 00:00:00 2001 From: rattatwinko Date: Sun, 19 Apr 2026 21:44:53 +0200 Subject: [PATCH] implement dotenv loading for allowed domains --- .gitignore | 4 +++- README.md | 9 ++++++++- TODO.md | 2 +- requirements.txt | Bin 148 -> 178 bytes src/profiles.py | 42 ++++++++++++++++++++++++++++++++++++------ 5 files changed, 48 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index e301605..37b09be 100644 --- a/.gitignore +++ b/.gitignore @@ -672,4 +672,6 @@ fabric.properties ## ENVIRONMENT -.env \ No newline at end of file +.env +lvenv +wvenv \ No newline at end of file diff --git a/README.md b/README.md index 85f0df4..25d64f7 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,10 @@ # sanigi-html -sanigi-html (esperanto for sanitize html) is a python tool which takes in HTML and sanitzies it for use with student webspaces \ No newline at end of file +sanigi-html (esperanto for sanitize html) is a python tool which takes in HTML and sanitzies it for use with student webspaces + +.env spec: + +```env +ALLOWED_DOMAINS_IMG=images.example.org,cdn.example.com +ALLOWED_DOMAINS_LINK=example.com +``` \ No newline at end of file diff --git a/TODO.md b/TODO.md index 752ecda..0810bfb 100644 --- a/TODO.md +++ b/TODO.md @@ -23,7 +23,7 @@ NOTE: That things which are in italic text are already implemented! - *img* - *link href* - *[x] add custom attribute filter function* -- [] load dotenv (chore for profiles.py) ; do this someday when implementing JSON configs. Or dotenv stuff : PRIO:HIGH +- *[x] load dotenv (chore for profiles.py) ; do this someday when implementing JSON configs. Or dotenv stuff : PRIO:HIGH* --- ### Expland strict mode: diff --git a/requirements.txt b/requirements.txt index 70f79efe0322f90b03f510901b5bda97855e2362..1f4218f450623ae402a81bdbd5f2ef2b0a7413e1 100644 GIT binary patch delta 38 qcmbQjxQTIslcXO*DMKbh2}3qRB7-dunlR`w7yz-w#B|+>c3J?aeh4rC delta 12 TcmdnQIE8V7)5IRNi7`3=9p40Z diff --git a/src/profiles.py b/src/profiles.py index 4a0c6b5..64aceb8 100644 --- a/src/profiles.py +++ b/src/profiles.py @@ -4,10 +4,14 @@ # # presets for sanitization of HTML # -import re -from dotenv import dotenv_values + +import os +from dotenv import load_dotenv from urllib.parse import urlparse +# loadenv init +load_dotenv() + def is_safe_url(url : str, allowed_domain=None, allow_relative : bool = True) -> bool: """ Determine wether or not a URL is safe or not. @@ -48,6 +52,21 @@ def create_url_filter(allowed_attrs, allowed_domains=None, allow_relative=True): return value return filter_func +def get_domains(variable): + value = os.getenv(variable, "") + return [ + # return a list of domains, and split by comma + d.strip() for d in value.split(",") if d.strip() + ] + +# Setup any .env variables for python to use + +allow_relative = os.getenv("ALLOW_RELATIVE_URLS", "true").lower() == "true" + +allowed_domains_default = get_domains("ALLOWED_DOMAINS") +allowed_domains_img = get_domains("ALLOWED_DOMAINS_IMG") or allowed_domains_default +allowed_domains_link = get_domains("ALLOWED_DOMAINS_LINK") or allowed_domains_default + STRICT = { "tags" : [ "p", "b", "i", "u", "em", "strong", @@ -56,10 +75,21 @@ STRICT = { "h1", "h2", "h3", "h4", "h5", "h6" ], "attributes": { - # TODO: add loading dotenv variables - "a": create_url_filter(["href"], allowed_domains=[], allow_relative=True), - "img" : create_url_filter(["src", "alt"], allowed_domains=[], allow_relative=True), - "link" : create_url_filter(["href"], allowed_domains=[], allow_relative=True), + "a": create_url_filter( + ["href"], + allowed_domains=allowed_domains_link, + allow_relative=allow_relative + ), + "img": create_url_filter( + ["src", "alt"], + allowed_domains=allowed_domains_img, + allow_relative=allow_relative + ), + "link": create_url_filter( + ["href"], + allowed_domains=allowed_domains_default, + allow_relative=allow_relative + ), }, "protocols": [], "strip": True,