Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

models: user affiliations schema disallow html attrs #459

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 13 additions & 9 deletions invenio_accounts/profiles/dicts.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,16 +20,19 @@ class ValidatedDict(dict):
def __init__(self, schema, *args, **kwargs):
"""Constructor, validates the given data."""
self._schema = schema() if isclass(schema) else schema
self._validate(dict(*args, **kwargs))
super().__init__(*args, **kwargs)
data = self._validate(dict(*args, **kwargs))
super().__init__(**data)

def _validate(self, data):
"""Validate the data with the dictionary's schema."""
"""Validate the data with the dictionary's schema and return the value."""

if self._schema is None:
return data

try:
if self._schema is not None:
# without schema, we basically revert to a normal dictionary
# with more overhead
self._schema.load(data)
# without schema, we basically revert to a normal dictionary
# with more overhead
return self._schema.load(data)
except ValidationError as error:
raise ValueError(f"Validation failed: {error}")

Expand Down Expand Up @@ -67,8 +70,9 @@ def setdefault(self, key, default=None):
def __setitem__(self, key, value):
"""Validate the dictionary and set the value if successful."""
data = {**self, key: value}
self._validate(data)
super().__setitem__(key, value)
data = self._validate(data)
# set schema loaded value
super().__setitem__(key, data[key])

def __delitem__(self, key):
"""Validate the dictionary and delete the key if successful."""
Expand Down
6 changes: 4 additions & 2 deletions invenio_accounts/profiles/schemas.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
from flask import current_app
from invenio_i18n import lazy_gettext as _
from marshmallow import Schema, ValidationError, fields

from marshmallow_utils.fields import SanitizedHTML
from marshmallow_utils.html import strip_html

def validate_visibility(value):
"""Check if the value is a valid visibility setting."""
Expand Down Expand Up @@ -43,7 +44,8 @@ class UserProfileSchema(Schema):
"""The default user profile schema."""

full_name = fields.String()
affiliations = fields.String()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not correct. We use sanitised HTML when we want to store and output HTML, and string when we just want text.

# disallow all HTML tags and attrs on deserialization
affiliations = SanitizedHTML(tags=[], attrs=[])


class UserPreferencesSchema(Schema):
Expand Down
Loading