schema: extend content accepted HTML tags & attrs

inveniosoftware · Nov 15, 2023 · 651656e · 651656e
1 parent 6953892
commit 651656e
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/invenio_pages/services/schemas.py b/invenio_pages/services/schemas.py
@@ -1,16 +1,24 @@
 # -*- coding: utf-8 -*-
 #
 # Copyright (C) 2023 CERN.
+# Copyright (C) 2023 KTH Royal Institute of Technology.
 #
 # Invenio-Pages is free software; you can redistribute it and/or modify it
 # under the terms of the MIT License; see LICENSE file for more details.
 
 """Pages schema."""
 
 from datetime import timezone
-
 from marshmallow import Schema, fields
 from marshmallow_utils.fields import SanitizedHTML, TZDateTime
+from marshmallow_utils.html import ALLOWED_HTML_ATTRS, ALLOWED_HTML_TAGS
+
+EXTENDED_ALLOWED_TAGS = ALLOWED_HTML_TAGS + ["img", "button"]
+EXTENDED_ALLOWED_ATTRS = {
+    **ALLOWED_HTML_ATTRS,
+    "img": ["src", "alt", "title", "width", "height"],
+    "button": ["type", "name", "value", "disabled", "onclick"],
+}
 
 
 class PageSchema(Schema):
@@ -19,7 +27,7 @@ class PageSchema(Schema):
     id = fields.String()
     url = fields.String(metadata={"create_only": True})
     title = fields.String()
-    content = SanitizedHTML()
+    content = SanitizedHTML(tags=EXTENDED_ALLOWED_TAGS, attrs=EXTENDED_ALLOWED_ATTRS)
     description = fields.String()
     template_name = fields.String()
     created = TZDateTime(timezone=timezone.utc, format="iso", dump_only=True)