Merge branch 'develop' into elasticsearch4

yaasita · web-flow · commit be121313a987 · 2018-07-02T18:01:38.000+09:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
-FROM amazonlinux:1
+FROM amazonlinux:2018.03.0.20180424
+
 
 WORKDIR /workdir
 COPY requirements.txt ./
diff --git a/api-template.yaml b/api-template.yaml
@@ -906,6 +906,9 @@ Resources:
                 required: true
                 schema:
                   $ref: '#/definitions/MeArticlesDraftsCreate'
+              responses:
+                '200':
+                  description: 'successful operation'
               security:
                 - cognitoUserPool: []
               x-amazon-apigateway-integration:
diff --git a/src/common/text_sanitizer.py b/src/common/text_sanitizer.py
@@ -35,7 +35,9 @@ def allow_div_attributes(tag, name, value):
                 return True
         if name == 'data-alis-iframely-url':
             p = urlparse(value)
-            return p.netloc == 'twitter.com'
+            is_url = len(p.scheme) > 0 and len(p.netloc) > 0
+            is_clean = True if bleach.clean(value) == value else False
+            return is_url and is_clean
         if name == 'contenteditable':
             if value == 'false':
                 return True
diff --git a/tests/common/test_text_sanitizer.py b/tests/common/test_text_sanitizer.py
@@ -68,6 +68,8 @@ def test_sanitize_article_body(self):
         </div>
         <a href="http://example.com">link</a>
         <div data-alis-iframely-url="https://twitter.com/hoge">hoge</div>
+        <div data-alis-iframely-url="https://example.com/hoge?x=1">hoge</div>
+        <div data-alis-iframely-url="http://example.com/hoge?x=1%3Cdiv%3Ehoge%3C%2Fdiv%3E">hoge</div>
         '''.format(domain=os.environ['DOMAIN'])
 
         result = TextSanitizer.sanitize_article_body(target_html)
@@ -143,7 +145,7 @@ def test_sanitize_article_body_with_div_unauthorized_url(self):
         target_html = '''
         <h2>sample h2</h2>
         <div class='hoge piyo' data='aaa' contenteditable='true'></div>
-        <div data-alis-iframely-url="https://example.com/hoge">hoge</div>
+        <div data-alis-iframely-url="https://example.com/hoge?<script>piyo</script>">hoge</div>
         '''
 
         expected_html = '''
