stephenmcd · April 26, 2012 22:19
diff --git a/richtextfield_clean.py b/richtextfield_clean.py
 """

 XSS privilege escalation by malicious non-superuser admin users.

 Fixed in Mezzanine 1.0.9:
 https://bitbucket.org/stephenmcd/mezzanine/changeset/40cbc47b8d8a

 If an admin user was to create their own POST submit to any forms with a 
 RichTextField, they could include JavaScript that does the following: 

 - Using AJAX GET request, retrieves a valid CSRF token from the user change 
 view in the admin 
 - Using AJAX POST request, submit data to the user change view, with their 
 own user ID and is_superuser set to true 

 If a superuser was then to view the page containing this content, the 
 JavaScript would successfully update the malicious admin user's account to 
 have superuser status. 

 The following code allows older versions of Mezzanine to fix this
 issue without upgrading, making use of the RICHTEXT_FILTER setting
 which was added in 0.11.3 (Jun 09, 2011). Older versions can be patched 
 using the below function as a template tag, manually applied to 
 templates that render a RichTextField.

 - Save this file as richtextfield_clean.py on your Python path. 
 - pip install bleach
 - Add to your settings.py: RICHTEXT_FILTER = "richtextfield_clean.clean'

 """

 import bleach

 RICHTEXT_ALLOWED_TAGS = (
    "a", "abbr", "acronym", "address", "area", "b", "bdo", "big",
    "blockquote", "br", "button", "caption", "center", "cite", "code",
    "col", "colgroup", "dd", "del", "dfn", "dir", "div", "dl", "dt",
    "em", "fieldset", "font", "form", "h1", "h2", "h3", "h4", "h5",
    "h6", "hr", "i", "img", "input", "ins", "kbd", "label", "legend",
    "li", "map", "menu", "ol", "optgroup", "option", "p", "pre", "q",
    "s", "samp", "select", "small", "span", "strike", "strong", "sub",
    "sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead",
    "tr", "tt", "u", "ul", "var", "wbr"
 )

 RICHTEXT_ALLOWED_ATTRIBUTES = (
    "abbr", "accept", "accept-charset", "accesskey", "action",
    "align", "alt", "axis", "border", "cellpadding", "cellspacing",
    "char", "charoff", "charset", "checked", "cite", "class", "clear",
    "cols", "colspan", "color", "compact", "coords", "datetime", "dir",
    "disabled", "enctype", "for", "frame", "headers", "height", "href",
    "hreflang", "hspace", "id", "ismap", "label", "lang", "longdesc",
    "maxlength", "media", "method", "multiple", "name", "nohref",
    "noshade", "nowrap", "prompt", "readonly", "rel", "rev", "rows",
    "rowspan", "rules", "scope", "selected", "shape", "size", "span",
    "src", "start", "style", "summary", "tabindex", "target", "title",
    "type", "usemap", "valign", "value", "vspace", "width", "xml:lang"
 )

 clean = lambda html: bleach.clean(html, RICHTEXT_ALLOWED_TAGS,
                                        RICHTEXT_ALLOWED_ATTRIBUTES)
	"""

	XSS privilege escalation by malicious non-superuser admin users.

	Fixed in Mezzanine 1.0.9:
	https://bitbucket.org/stephenmcd/mezzanine/changeset/40cbc47b8d8a

	If an admin user was to create their own POST submit to any forms with a
	RichTextField, they could include JavaScript that does the following:

	- Using AJAX GET request, retrieves a valid CSRF token from the user change
	view in the admin
	- Using AJAX POST request, submit data to the user change view, with their
	own user ID and is_superuser set to true

	If a superuser was then to view the page containing this content, the
	JavaScript would successfully update the malicious admin user's account to
	have superuser status.

	The following code allows older versions of Mezzanine to fix this
	issue without upgrading, making use of the RICHTEXT_FILTER setting
	which was added in 0.11.3 (Jun 09, 2011). Older versions can be patched
	using the below function as a template tag, manually applied to
	templates that render a RichTextField.

	- Save this file as richtextfield_clean.py on your Python path.
	- pip install bleach
	- Add to your settings.py: RICHTEXT_FILTER = "richtextfield_clean.clean'

	"""

	import bleach

	RICHTEXT_ALLOWED_TAGS = (
	"a", "abbr", "acronym", "address", "area", "b", "bdo", "big",
	"blockquote", "br", "button", "caption", "center", "cite", "code",
	"col", "colgroup", "dd", "del", "dfn", "dir", "div", "dl", "dt",
	"em", "fieldset", "font", "form", "h1", "h2", "h3", "h4", "h5",
	"h6", "hr", "i", "img", "input", "ins", "kbd", "label", "legend",
	"li", "map", "menu", "ol", "optgroup", "option", "p", "pre", "q",
	"s", "samp", "select", "small", "span", "strike", "strong", "sub",
	"sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead",
	"tr", "tt", "u", "ul", "var", "wbr"
	)

	RICHTEXT_ALLOWED_ATTRIBUTES = (
	"abbr", "accept", "accept-charset", "accesskey", "action",
	"align", "alt", "axis", "border", "cellpadding", "cellspacing",
	"char", "charoff", "charset", "checked", "cite", "class", "clear",
	"cols", "colspan", "color", "compact", "coords", "datetime", "dir",
	"disabled", "enctype", "for", "frame", "headers", "height", "href",
	"hreflang", "hspace", "id", "ismap", "label", "lang", "longdesc",
	"maxlength", "media", "method", "multiple", "name", "nohref",
	"noshade", "nowrap", "prompt", "readonly", "rel", "rev", "rows",
	"rowspan", "rules", "scope", "selected", "shape", "size", "span",
	"src", "start", "style", "summary", "tabindex", "target", "title",
	"type", "usemap", "valign", "value", "vspace", "width", "xml:lang"
	)

	clean = lambda html: bleach.clean(html, RICHTEXT_ALLOWED_TAGS,
	RICHTEXT_ALLOWED_ATTRIBUTES)