Commit 88ac8061 authored by Robin Sonnabend's avatar Robin Sonnabend
Browse files

Make protocol metadata a link if it's an URL pointing to a whitelisted domain

This only affects the website, the PDF version isn't changed. By default
the whitelist is empty.
For issue #236
parent b8148fb8
......@@ -158,13 +158,13 @@ def check_security(SECRET_KEY, SECURITY_KEY, SESSION_PROTECTION, SESSION_COOKIE_
"Insufficient length of SECURITY_KEY, should be at "
"least {}!".format(
MIN_KEY_LENGTH))
check_choice("SESSION_PROTECTION", SESSION_PROTECTION, ["strong"])
check_choice("SESSION_PROTECTION", SESSION_PROTECTION, ["strong", "none"])
check_choice("SESSION_COOKIE_SECURE", SESSION_COOKIE_SECURE, [True, False])
check_choice("SESSION_COOKIE_HTTPONLY", SESSION_COOKIE_HTTPONLY, [True, False])
check_choice("SESSION_COOKIE_SAMESITE", SESSION_COOKIE_SAMESITE, ["Lax", "Strict"])
def check_server_name(SERVER_NAME, PREFERRED_URL_SCHEME, CDN_URL):
def check_server_name(SERVER_NAME, PREFERRED_URL_SCHEME, CDN_URL, PERMITTED_METADATA_DOMAINS):
# todo: check ip address and server name
check_choice(
"PREFERRED_URL_SCHEME", PREFERRED_URL_SCHEME,
......@@ -491,7 +491,12 @@ CONFIG_SECTIONS = [
name="CDN_URL",
default=None,
required=False, internal=False,
description="URL to get bootstrap and jQuery from.")
description="URL to get bootstrap and jQuery from."),
ConfigEntry(
name="PERMITTED_METADATA_DOMAINS",
default=[],
required=False, internal=False,
description="Domains allowed to be linked to in protocol metadata (e.g. location)."),
],
check=check_server_name,
description="Where is the website hosted"),
......
......@@ -4,6 +4,7 @@ from datetime import datetime
from io import BytesIO
from enum import Enum
from uuid import uuid4
from urllib.parse import urlparse
from shared import (
db, date_filter_short, escape_tex, DATE_KEY, START_TIME_KEY, END_TIME_KEY,
......@@ -901,6 +902,18 @@ class Meta(DatabaseModel):
def get_parent(self):
return self.protocol
def is_url(self):
print(self.value)
url = urlparse(self.value)
if not url.scheme == "https":
print(self.value, 1)
return False
if not url.netloc or url.netloc not in config.PERMITTED_METADATA_DOMAINS:
print(self.value, 2)
return False
print(self.value, 3)
return True
class Like(DatabaseModel):
__tablename__ = "likes"
......
......@@ -79,7 +79,7 @@
{% if has_public_view_right %}
{% for meta in protocol.metas %}
{% if not meta.internal or has_private_view_right %}
<p><strong>{{meta.name}}:</strong> {{meta.value}}</p>
<p><strong>{{meta.name}}:</strong> {% if meta.is_url() %}<a href="{{meta.value}}">{{meta.value}}</a>{% else %}{{meta.value}}{% endif %}</p>
{% endif %}
{% endfor %}
{% endif %}
......@@ -88,7 +88,7 @@
<p><strong>Geplant:</strong> {{protocol.date|datify_long}}, {{protocol.get_time()|timify}}</p>
{% endif %}
{% for meta in protocol.metas %}
<p><strong>{{meta.name}}:</strong> {{meta.value}}</p>
<p><strong>{{meta.name}}:</strong> {% if meta.is_url() %}<a href="{{meta.value}}">{{meta.value}}</a>{% else %}{{meta.value}}{% endif %}</p>
{% endfor %}
{% endif %}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment