Scrub admin description fields.

author: Matthew Somerville <matthew@mysociety.org> 2019-12-05 15:55:20 +0000
committer: Matthew Somerville <matthew@mysociety.org> 2020-01-09 10:57:25 +0000
commit: ba9efbd5b0bca630ecd6299240992efc3422dfca (patch)
tree: 0ca290ee8e9b399e7dc5fd42adbed7161c79a06b /perllib/FixMyStreet/Template.pm
parent: c4961f186e1bf5b9f14fa51e99c37bc013dd8e37 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/perllib/FixMyStreet/Template.pm b/perllib/FixMyStreet/Template.pm
index 84faeb562..afab83e41 100644
--- a/perllib/FixMyStreet/Template.pm
+++ b/perllib/FixMyStreet/Template.pm
@@ -6,6 +6,7 @@ use warnings;
 use FixMyStreet;
 use mySociety::Locale;
 use Attribute::Handlers;
+use HTML::Scrubber;
 use FixMyStreet::Template::SafeString;
 use FixMyStreet::Template::Context;
 use FixMyStreet::Template::Stash;
@@ -135,4 +136,20 @@ sub html_paragraph : Filter('html_para') {
     return FixMyStreet::Template::SafeString->new($text);
 }
 
+sub sanitize {
+    my $text = shift;
+
+    my %allowed_tags = map { $_ => 1 } qw( p ul ol li br b i strong em );
+    my $scrubber = HTML::Scrubber->new(
+        rules => [
+            %allowed_tags,
+            a => { href => qr{^(http|/|tel)}i, style => 1, target => qr/^_blank$/, title => 1 },
+            font => { color => 1 },
+            span => { style => 1 },
+        ]
+    );
+    $text = $scrubber->scrub($text);
+    return $text;
+}
+
 1;
author	Matthew Somerville <matthew@mysociety.org>	2019-12-05 15:55:20 +0000
committer	Matthew Somerville <matthew@mysociety.org>	2020-01-09 10:57:25 +0000
commit	ba9efbd5b0bca630ecd6299240992efc3422dfca (patch)
tree	0ca290ee8e9b399e7dc5fd42adbed7161c79a06b /perllib/FixMyStreet/Template.pm
parent	c4961f186e1bf5b9f14fa51e99c37bc013dd8e37 (diff)