--- /dev/null
+import tinymce.models
+import bleach
+
+def valid_html(value):
+ return bleach.clean(value, bleach.ALLOWED_TAGS + ['p'])
+
+class HTMLField(tinymce.models.HTMLField):
+ def pre_save(self, model_instance, add):
+ value = getattr(model_instance, self.attname)
+ safe_value = valid_html(value)
+ setattr(model_instance, self.attname, safe_value)
+ return safe_value
from django.db import models
-from tinymce import models as tinymce_models
+from localmodels import HTMLField
# Create your models here.
class Tag(models.Model):
class Author(models.Model):
name = models.CharField(max_length=100,
help_text="Name of the author")
- notes = tinymce_models.HTMLField(blank=True, help_text= \
- "Notes about the author; may be left blank. Will \
- not be HTML-escaped.",)
- pvt_notes = models.TextField(blank=True, help_text= \
- "Notes about the author; not displayed on \
- the public interface",)
+ notes = HTMLField(blank=True, help_text= \
+ "Notes about the author; may be left blank. Will \
+ not be HTML-escaped.",)
+ pvt_notes = HTMLField(blank=True, help_text= \
+ "Notes about the author; not displayed on \
+ the public interface",)
tags = models.ManyToManyField(Tag, blank=True)
birth_date = models.DateField(blank=True, null=True,
help_text="Date of death (leave blank \
if still alive!)")
- def __unicode__(self):
+ def __str__(self):
return self.name
# class DatePrecision(models.CharField):
help_text="Date of the quote")
tags = models.ManyToManyField(Tag, blank=True)
- notes = models.TextField(blank=True, help_text= \
- "Notes about the work; may be left blank. Will \
- not be HTML-escaped. XXX: offer a WYSIWYG editor")
- pvt_notes = models.TextField(blank=True, help_text= \
- "Notes about the work; not displayed on \
- the public interface")
+ notes = HTMLField(blank=True, help_text= \
+ "Notes about the work; may be left blank. Will \
+ not be HTML-escaped. XXX: offer a WYSIWYG editor")
+ pvt_notes = HTMLField(blank=True, help_text= \
+ "Notes about the work; not displayed on \
+ the public interface")
def __str__(self):
return "%s: %s (%s)" % (self.author.name, self.name, self.date)
class Quote(models.Model):
- text = models.TextField()
+ text = HTMLField()
tags = models.ManyToManyField(Tag, blank=True)
work = models.ForeignKey(Work)
- notes = models.TextField(blank=True, help_text= \
- "Notes about the quote; may be left blank. Will \
- not be HTML-escaped. XXX: offer a WYSIWYG editor")
- pvt_notes = models.TextField(blank=True, help_text= \
- "Notes about the quote; not displayed on \
- the public interface")
+ notes = HTMLField(blank=True, help_text= \
+ "Notes about the quote; may be left blank. Will \
+ not be HTML-escaped. XXX: offer a WYSIWYG editor")
+ pvt_notes = HTMLField(blank=True, help_text= \
+ "Notes about the quote; not displayed on \
+ the public interface")
- def __unicode__(self):
+ def __str__(self):
return self.work.author.name + ": " + self.text
<div class="quote">
<p class="text">
- {{ quote.text }}
+ {{ quote.text|safe }}
</p>
<div class="details">
{% include "quotes/display.html" with quote=quote %}
{% endfor %}
-
{% endblock %}
def setUp(self):
a1 = Author.objects.create(name="JFK")
w1 = Work.objects.create(name="Berlin speech", author=a1)
- q1 = Quote.objects.create(text="Ich bin...", work=w1)
+ q1 = Quote.objects.create(text="<p>Ich bin...</p>", work=w1)
self.q1 = q1
def test_one(self):
- q = Quote.objects.filter(text__startswith="Ich")
+ q = Quote.objects.filter(text__startswith="<p>Ich")
self.assertEqual(q.count(), 1)
q = q[0]
self.assertEqual(q, self.q1)
lxml.etree.fromstring(document)
except lxml.etree.XMLSyntaxError as e:
self.assertTrue(False, 'Errors in page at %s: %s' % (url, e))
+ self.assertFalse('<script>' in document)
return document
def setUp(self):
a1 = Author.objects.create(name="Author with notes",
- notes="Some notes for the author")
+ notes="<script>Some notes for the author</script>")
w1 = Work.objects.create(name="Context with some notes",
author=a1,
- notes="Some notes for the work")
- q1 = Quote.objects.create(text="Quote01, two tags",
+ notes="<p>Some notes for the work</p>")
+ q1 = Quote.objects.create(text="<p>Quote01, two tags</p>",
work=w1,
- notes="Some notes for the quote")
+ notes="<p>Some notes for the quote</p>")
t1 = Tag.objects.create(tag="tag01-1")
t2 = Tag.objects.create(tag="tag01-2")
q1.tags.add(t1, t2)
a2 = Author.objects.create(name="Author without notes")
w2 = Work.objects.create(name="Work without notes", author=a2)
- q2 = Quote.objects.create(text="Quote02, no tags", work=w2)
+ q2 = Quote.objects.create(text="<p>Quote02, no tags</p>", work=w2)
self.assertSequenceEqual(q2.tags.all(), [])
def test_all(self):
self.assertTrue(seen[q.id])
def test_views_all_data(self):
- q = Quote.objects.filter(text__startswith="Quote01")
- self.assertEqual(q.count(), 1)
+ q = Quote.objects.filter(text__startswith="<p>Quote01")
+ self.assertEqual(q.count(), 1, "Couldn't find Quote01 after insertion")
q = q[0]
# check the individual quote page; each of the note type is displayed
self.assertIn(q.text, tagpage)
def test_views_minimal_data(self):
- q = Quote.objects.filter(text__startswith="Quote02")
- self.assertEqual(q.count(), 1)
+ q = Quote.objects.filter(text__startswith="<p>Quote02")
+ self.assertEqual(q.count(), 1,
+ "Couldn't find Quote02 after insertion")
q = q[0]
quotepage = self.getPage('show/%s/' % q.id)