Wagtail insert code into body (streamfield)

1
votes

Is it possible to insert html in any other way than RawHTML? RawHTML is a threat and was wondering if I could do it another way.

Thanks in advance!

1
wagtailwagtail-streamfield
The threat is not specific to RawHTMLBlock. If you come up with another method of inserting arbitrary HTML, it will have exactly the same risks as RawHTMLBlock - namely, a malicious editor can insert harmful code. If you're happy to accept that risk, use RawHTMLBlock.gasman
Thanks for the quick answer! I might be making up stuff now but would it be possible to create a custom block in the streamfield to upload a CSV file that would be used for a d3 chart in the body? For example, have a custom block 'BarChart' rendered by a template, and the editor has to upload a CSV that would be used in the template to populate the chart with data? If it's possible, what should I be looking at?AJH

1 Answers

2
votes

As @gasman says in his comment on the question, inserting HTML carries the same risks no matter what form field you give your editors to do it.

However, you can implement a .clean() method on your block type which sanitises the HTML using Bleach.

e.g. to allow only <p> tags: 

>>> raw_html = """<p id='foo' class='dangerous'>
<script>console.log('bar');</script>
<b>Hello</b>
</p>"""
>>> html = bleach.clean(raw_html,
                        tags=['p'],
                        attributes={'p': ['id']},
                        strip=True)
>>> print(html)
<p id='foo'>Hello</p>