From 90d81e24217f11ddfc7c263d42c480c1655d2824 Mon Sep 17 00:00:00 2001 From: Jeremy Stretch Date: Wed, 8 Mar 2023 15:02:18 -0500 Subject: [PATCH] Use a form to clean input Markdown data --- netbox/extras/forms/__init__.py | 1 + netbox/extras/forms/misc.py | 14 ++++++++++++++ netbox/extras/urls.py | 2 +- netbox/extras/views.py | 12 ++++++++---- 4 files changed, 24 insertions(+), 5 deletions(-) create mode 100644 netbox/extras/forms/misc.py diff --git a/netbox/extras/forms/__init__.py b/netbox/extras/forms/__init__.py index af0f7cf43..0825c9ca7 100644 --- a/netbox/extras/forms/__init__.py +++ b/netbox/extras/forms/__init__.py @@ -2,6 +2,7 @@ from .model_forms import * from .filtersets import * from .bulk_edit import * from .bulk_import import * +from .misc import * from .mixins import * from .config import * from .scripts import * diff --git a/netbox/extras/forms/misc.py b/netbox/extras/forms/misc.py new file mode 100644 index 000000000..b52338e76 --- /dev/null +++ b/netbox/extras/forms/misc.py @@ -0,0 +1,14 @@ +from django import forms + +__all__ = ( + 'RenderMarkdownForm', +) + + +class RenderMarkdownForm(forms.Form): + """ + Provides basic validation for markup to be rendered. + """ + text = forms.CharField( + required=False + ) diff --git a/netbox/extras/urls.py b/netbox/extras/urls.py index 010f6d076..304e5b9ea 100644 --- a/netbox/extras/urls.py +++ b/netbox/extras/urls.py @@ -93,5 +93,5 @@ urlpatterns = [ re_path(r'^scripts/(?P.([^.]+)).(?P.(.+))/', views.ScriptView.as_view(), name='script'), # Markdown - path('render/markdown/', views.MarkdownRenderView.as_view(), name="render_markdown") + path('render/markdown/', views.RenderMarkdownView.as_view(), name="render_markdown") ] diff --git a/netbox/extras/views.py b/netbox/extras/views.py index 8d6a9f2ec..91d3b5c58 100644 --- a/netbox/extras/views.py +++ b/netbox/extras/views.py @@ -1,7 +1,7 @@ from django.contrib import messages from django.contrib.contenttypes.models import ContentType from django.db.models import Count, Q -from django.http import Http404, HttpResponseForbidden, HttpResponse +from django.http import Http404, HttpResponseBadRequest, HttpResponseForbidden, HttpResponse from django.shortcuts import get_object_or_404, redirect, render from django.urls import reverse from django.views.generic import View @@ -892,8 +892,12 @@ class JobResultBulkDeleteView(generic.BulkDeleteView): # Markdown # -class MarkdownRenderView(View): +class RenderMarkdownView(View): + def post(self, request): - raw = request.POST.get("text", "").strip() - rendered = render_markdown(raw) + form = forms.RenderMarkdownForm(request.POST) + if not form.is_valid(): + HttpResponseBadRequest() + rendered = render_markdown(form.cleaned_data['text']) + return HttpResponse(rendered)