Skip to content

Commit

Permalink
models: user affiliations schema disallow html attrs
Browse files Browse the repository at this point in the history
  • Loading branch information
zzacharo committed Sep 18, 2023
1 parent 3caced5 commit a54a2d4
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 8 deletions.
14 changes: 8 additions & 6 deletions invenio_accounts/profiles/dicts.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,19 @@ class ValidatedDict(dict):
def __init__(self, schema, *args, **kwargs):
"""Constructor, validates the given data."""
self._schema = schema() if isclass(schema) else schema
self._validate(dict(*args, **kwargs))
super().__init__(*args, **kwargs)
data = self._validate(dict(*args, **kwargs))
super().__init__(**data)

def _validate(self, data):
"""Validate the data with the dictionary's schema."""
"""Validate the data with the dictionary's schema and return the valid value."""
try:
if self._schema is not None:
# without schema, we basically revert to a normal dictionary
# with more overhead
self._schema.load(data)
return self._schema.load(data)
except ValidationError as error:
raise ValueError(f"Validation failed: {error}")
return data

def _try_op(self, op_name, *args, **kwargs):
"""Try the named operation and see if it violates the schema."""
Expand Down Expand Up @@ -67,8 +68,9 @@ def setdefault(self, key, default=None):
def __setitem__(self, key, value):
"""Validate the dictionary and set the value if successful."""
data = {**self, key: value}
self._validate(data)
super().__setitem__(key, value)
data = self._validate(data)
# set schema loaded value
super().__setitem__(key, data[key])

def __delitem__(self, key):
"""Validate the dictionary and delete the key if successful."""
Expand Down
6 changes: 4 additions & 2 deletions invenio_accounts/profiles/schemas.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
from flask import current_app
from invenio_i18n import lazy_gettext as _
from marshmallow import Schema, ValidationError, fields

from marshmallow_utils.fields import SanitizedHTML
from marshmallow_utils.html import strip_html

def validate_visibility(value):
"""Check if the value is a valid visibility setting."""
Expand Down Expand Up @@ -43,7 +44,8 @@ class UserProfileSchema(Schema):
"""The default user profile schema."""

full_name = fields.String()
affiliations = fields.String()
# disallow all HTML tags and attrs on deserialization
affiliations = SanitizedHTML(tags=[], attrs=[])


class UserPreferencesSchema(Schema):
Expand Down

0 comments on commit a54a2d4

Please sign in to comment.