stephenmcd/richtextfield_clean.py

## richtextfield_clean.py
"""

XSS privilege escalation by malicious non-superuser admin users.

Fixed in Mezzanine 1.0.9:
https://bitbucket.org/stephenmcd/mezzanine/changeset/40cbc47b8d8a

If an admin user was to create their own POST submit to any forms with a
RichTextField, they could include JavaScript that does the following:

- Using AJAX GET request, retrieves a valid CSRF token from the user change
view in the admin
- Using AJAX POST request, submit data to the user change view, with their
own user ID and is_superuser set to true

If a superuser was then to view the page containing this content, the
JavaScript would successfully update the malicious admin user's account to
have superuser status.

The following code allows older versions of Mezzanine to fix this
issue without upgrading, making use of the RICHTEXT_FILTER setting
which was added in 0.11.3 (Jun 09, 2011). Older versions can be patched
using the below function as a template tag, manually applied to
templates that render a RichTextField.

- Save this file as richtextfield_clean.py on your Python path.
- pip install bleach
- Add to your settings.py: RICHTEXT_FILTER = "richtextfield_clean.clean'

"""

import bleach

RICHTEXT_ALLOWED_TAGS = (
    "a", "abbr", "acronym", "address", "area", "b", "bdo", "big",
    "blockquote", "br", "button", "caption", "center", "cite", "code",
    "col", "colgroup", "dd", "del", "dfn", "dir", "div", "dl", "dt",
    "em", "fieldset", "font", "form", "h1", "h2", "h3", "h4", "h5",
    "h6", "hr", "i", "img", "input", "ins", "kbd", "label", "legend",
    "li", "map", "menu", "ol", "optgroup", "option", "p", "pre", "q",
    "s", "samp", "select", "small", "span", "strike", "strong", "sub",
    "sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead",
    "tr", "tt", "u", "ul", "var", "wbr"
)

RICHTEXT_ALLOWED_ATTRIBUTES = (
    "abbr", "accept", "accept-charset", "accesskey", "action",
    "align", "alt", "axis", "border", "cellpadding", "cellspacing",
    "char", "charoff", "charset", "checked", "cite", "class", "clear",
    "cols", "colspan", "color", "compact", "coords", "datetime", "dir",
    "disabled", "enctype", "for", "frame", "headers", "height", "href",
    "hreflang", "hspace", "id", "ismap", "label", "lang", "longdesc",
    "maxlength", "media", "method", "multiple", "name", "nohref",
    "noshade", "nowrap", "prompt", "readonly", "rel", "rev", "rows",
    "rowspan", "rules", "scope", "selected", "shape", "size", "span",
    "src", "start", "style", "summary", "tabindex", "target", "title",
    "type", "usemap", "valign", "value", "vspace", "width", "xml:lang"
)

clean = lambda html: bleach.clean(html, RICHTEXT_ALLOWED_TAGS,
                                        RICHTEXT_ALLOWED_ATTRIBUTES)
	"""

	XSS privilege escalation by malicious non-superuser admin users.

	Fixed in Mezzanine 1.0.9:
	https://bitbucket.org/stephenmcd/mezzanine/changeset/40cbc47b8d8a

	If an admin user was to create their own POST submit to any forms with a
	RichTextField, they could include JavaScript that does the following:

	- Using AJAX GET request, retrieves a valid CSRF token from the user change
	view in the admin
	- Using AJAX POST request, submit data to the user change view, with their
	own user ID and is_superuser set to true

	If a superuser was then to view the page containing this content, the
	JavaScript would successfully update the malicious admin user's account to
	have superuser status.

	The following code allows older versions of Mezzanine to fix this
	issue without upgrading, making use of the RICHTEXT_FILTER setting
	which was added in 0.11.3 (Jun 09, 2011). Older versions can be patched
	using the below function as a template tag, manually applied to
	templates that render a RichTextField.

	- Save this file as richtextfield_clean.py on your Python path.
	- pip install bleach
	- Add to your settings.py: RICHTEXT_FILTER = "richtextfield_clean.clean'

	"""

	import bleach

	RICHTEXT_ALLOWED_TAGS = (
	"a", "abbr", "acronym", "address", "area", "b", "bdo", "big",
	"blockquote", "br", "button", "caption", "center", "cite", "code",
	"col", "colgroup", "dd", "del", "dfn", "dir", "div", "dl", "dt",
	"em", "fieldset", "font", "form", "h1", "h2", "h3", "h4", "h5",
	"h6", "hr", "i", "img", "input", "ins", "kbd", "label", "legend",
	"li", "map", "menu", "ol", "optgroup", "option", "p", "pre", "q",
	"s", "samp", "select", "small", "span", "strike", "strong", "sub",
	"sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead",
	"tr", "tt", "u", "ul", "var", "wbr"
	)

	RICHTEXT_ALLOWED_ATTRIBUTES = (
	"abbr", "accept", "accept-charset", "accesskey", "action",
	"align", "alt", "axis", "border", "cellpadding", "cellspacing",
	"char", "charoff", "charset", "checked", "cite", "class", "clear",
	"cols", "colspan", "color", "compact", "coords", "datetime", "dir",
	"disabled", "enctype", "for", "frame", "headers", "height", "href",
	"hreflang", "hspace", "id", "ismap", "label", "lang", "longdesc",
	"maxlength", "media", "method", "multiple", "name", "nohref",
	"noshade", "nowrap", "prompt", "readonly", "rel", "rev", "rows",
	"rowspan", "rules", "scope", "selected", "shape", "size", "span",
	"src", "start", "style", "summary", "tabindex", "target", "title",
	"type", "usemap", "valign", "value", "vspace", "width", "xml:lang"
	)

	clean = lambda html: bleach.clean(html, RICHTEXT_ALLOWED_TAGS,
	RICHTEXT_ALLOWED_ATTRIBUTES)