Fixed img tags are allowed without filtering of their attributes.

ORA-255

Author: waheedahmed

controller/tests.py

@@ -395,6 +395,15 @@ def test_request_eta_for_submission_in_true(self):
         self.assertEqual(body['success'], True)
         self.assertEqual(body['eta'], settings.DEFAULT_ESTIMATED_GRADING_TIME)
 
+    def test_sanitize_html(self):
+        feedback = "This is a sample feedback. <img src='abc' onerror=alert(1)>"
+
+        sanitized_feedback = util.sanitize_html(feedback)
+
+        # Sanitized feedback should not contain onerror attribute.
+        self.assertFalse("onerror" in sanitized_feedback)
+
+
 class ExpireSubmissionsTests(unittest.TestCase):
     fixtures = ['/controller/test_data.json']
     def setUp(self):

controller/util.py

@@ -396,7 +396,15 @@ def log_connection_data():
 
 def sanitize_html(text):
     try:
-        cleaner = Cleaner(style=True, links=True, add_nofollow=False, page_structure=True, safe_attrs_only=False, allow_tags = ["img", "a"])
+        cleaner = Cleaner(
+            style=True,
+            links=True,
+            add_nofollow=False,
+            page_structure=True,
+            safe_attrs_only=False,
+            remove_unknown_tags=False,
+            allow_tags=["img", "a"]
+        )
         clean_html = cleaner.clean_html(text)
         clean_html = re.sub(r'</p>$', '', re.sub(r'^<p>', '', clean_html))
     except Exception: