From 68e5a639738cc50de12ebbbfd1c7ce8da78900c5 Mon Sep 17 00:00:00 2001
From: Julian Dehm <j.dehm@liqd.net>
Date: Wed, 10 Jul 2024 15:52:40 +0200
Subject: [PATCH] update Bleach to 6.x and remove django-bleach

---
 .../academy/academy_challenge_page.html         |  4 ++--
 .../academy/templates/academy/academy_page.html |  4 ++--
 .../academy/includes/academy_list_item.html     |  2 +-
 .../management/commands/insert-blogposts.py     | 12 ++----------
 apps/blog/templates/blog/blog_page.html         |  4 ++--
 .../templates/core/text_page_with_blocks.html   |  6 ++----
 apps/core/templatetags/core_tags.py             |  6 ++++++
 .../templates/projects/project_index_page.html  |  4 ++--
 .../templates/projects/project_page.html        |  4 ++--
 changelog/8014.md                               | 11 +++++++++++
 contrib/transforms.py                           | 17 +++++++++++++++++
 pyproject.toml                                  |  3 +--
 requirements/base.txt                           |  3 +--
 website_wagtail/settings/base.py                |  8 --------
 14 files changed, 51 insertions(+), 37 deletions(-)
 create mode 100644 contrib/transforms.py

diff --git a/apps/academy/templates/academy/academy_challenge_page.html b/apps/academy/templates/academy/academy_challenge_page.html
index 8dd6be56..902b2d98 100644
--- a/apps/academy/templates/academy/academy_challenge_page.html
+++ b/apps/academy/templates/academy/academy_challenge_page.html
@@ -1,11 +1,11 @@
 {% extends "base.html" %}
-{% load static wagtailcore_tags wagtailimages_tags wagtailembeds_tags i18n bleach_tags %}
+{% load static wagtailcore_tags wagtailimages_tags wagtailembeds_tags i18n core_tags %}
 
 {% block fb_meta_tags %}
     <meta property="og:type" content="content" />
     <meta property="og:title" content="{{ page.translated_title }}" />
     {% with description=page.translated_intro|richtext %}
-    <meta property="og:description" content="{{ description|bleach }}" />
+    <meta property="og:description" content="{{ description|clean_html_all }}" />
     {% endwith %}
 {% endblock %}
 
diff --git a/apps/academy/templates/academy/academy_page.html b/apps/academy/templates/academy/academy_page.html
index 567e6c5f..aded3265 100644
--- a/apps/academy/templates/academy/academy_page.html
+++ b/apps/academy/templates/academy/academy_page.html
@@ -1,11 +1,11 @@
 {% extends "base.html" %}
-{% load static wagtailcore_tags wagtailimages_tags wagtailembeds_tags i18n bleach_tags %}
+{% load static wagtailcore_tags wagtailimages_tags wagtailembeds_tags i18n core_tags %}
 
 {% block fb_meta_tags %}
     <meta property="og:type" content="content" />
     <meta property="og:title" content="{{ page.translated_title }}" />
     {% with description=page.translated_intro|richtext %}
-    <meta property="og:description" content="{{ description|bleach }}" />
+    <meta property="og:description" content="{{ description|clean_html_all }}" />
     {% endwith %}
 {% endblock %}
 
diff --git a/apps/academy/templates/academy/includes/academy_list_item.html b/apps/academy/templates/academy/includes/academy_list_item.html
index 74505a01..1d628ec0 100644
--- a/apps/academy/templates/academy/includes/academy_list_item.html
+++ b/apps/academy/templates/academy/includes/academy_list_item.html
@@ -1,4 +1,4 @@
-{% load static wagtailcore_tags wagtailimages_tags wagtailembeds_tags i18n bleach_tags %}
+{% load static wagtailcore_tags wagtailimages_tags wagtailembeds_tags i18n %}
 
 <li class="col-12 col-sm-6 col-md-4 academy-list__item mb-4">
     <a href="{% if content.external_link %}
diff --git a/apps/blog/management/commands/insert-blogposts.py b/apps/blog/management/commands/insert-blogposts.py
index 9eb1cb72..76d6d25a 100644
--- a/apps/blog/management/commands/insert-blogposts.py
+++ b/apps/blog/management/commands/insert-blogposts.py
@@ -3,14 +3,13 @@
 from datetime import timedelta
 from urllib.request import urlopen
 
-import bleach
-from bleach.css_sanitizer import CSSSanitizer
 from bs4 import BeautifulSoup
 from django.core.management.base import BaseCommand
 from django.template.defaultfilters import slugify
 
 from apps.blog.models import BlogIndexPage
 from apps.blog.models import BlogPage
+from contrib.transforms import clean_html_all
 
 
 class Command(BaseCommand):
@@ -86,14 +85,7 @@ def handle(self, *args, **options):
 
             result = result + '<a href="' + link + '">' + link + "</a>"
 
-            css_sanitizer = CSSSanitizer(allowed_css_properties=[])
-            clean_result = bleach.clean(
-                result,
-                tags=[],
-                attributes={},
-                css_sanitizer=css_sanitizer,
-                strip=True,
-            )
+            clean_result = clean_html_all(result)
             subtitle_en = clean_result[0:100]
             intro_en = clean_result[0:100]
             title_en = title
diff --git a/apps/blog/templates/blog/blog_page.html b/apps/blog/templates/blog/blog_page.html
index 034f81da..4b0d5d4d 100644
--- a/apps/blog/templates/blog/blog_page.html
+++ b/apps/blog/templates/blog/blog_page.html
@@ -1,11 +1,11 @@
 {% extends "base.html" %}
-{% load static wagtailcore_tags wagtailimages_tags wagtailembeds_tags i18n bleach_tags %}
+{% load static wagtailcore_tags wagtailimages_tags wagtailembeds_tags i18n core_tags %}
 
 {% block fb_meta_tags %}
     <meta property="og:type" content="article" />
     <meta property="og:title" content="{{ page.translated_title }}" />
     {% with description=page.translated_intro|richtext %}
-    <meta property="og:description" content="{{ description|bleach }}" />
+    <meta property="og:description" content="{{ description|clean_html_all }}" />
     {% endwith %}
 {% endblock %}
 
diff --git a/apps/core/templates/core/text_page_with_blocks.html b/apps/core/templates/core/text_page_with_blocks.html
index e78fb517..ec6c3da9 100644
--- a/apps/core/templates/core/text_page_with_blocks.html
+++ b/apps/core/templates/core/text_page_with_blocks.html
@@ -1,13 +1,11 @@
 {% extends "base.html" %}
-{% load wagtailimages_tags i18n %}
-{% load wagtailcore_tags core_tags bleach_tags %}
-{% load static %}
+{% load static i18n wagtailimages_tags wagtailcore_tags core_tags %}
 
 {% block fb_meta_tags %}
 	<meta property="og:type" content="article" />
 	<meta property="og:title" content="{{ page.translated_title }}" />
 	{% with description=page.translated_intro|richtext %}
-	<meta property="og:description" content="{{ description|bleach }}" />
+	<meta property="og:description" content="{{ description|clean_html_all }}" />
 	{% endwith %}
 {% endblock %}
 
diff --git a/apps/core/templatetags/core_tags.py b/apps/core/templatetags/core_tags.py
index 5e5b4a3e..5fc29c30 100644
--- a/apps/core/templatetags/core_tags.py
+++ b/apps/core/templatetags/core_tags.py
@@ -5,6 +5,7 @@
 from django.urls import resolve
 
 from apps.core.models import NavigationMenu
+from contrib import transforms
 
 register = template.Library()
 
@@ -82,3 +83,8 @@ def matomo_tracking_code():
         "url": settings.MATOMO_URL,
         "cookie_disabled": cookie_disabled,
     }
+
+
+@register.filter()
+def clean_html_all(text):
+    return transforms.clean_html_all(text)
diff --git a/apps/projects/templates/projects/project_index_page.html b/apps/projects/templates/projects/project_index_page.html
index c9659f74..515a535b 100644
--- a/apps/projects/templates/projects/project_index_page.html
+++ b/apps/projects/templates/projects/project_index_page.html
@@ -1,11 +1,11 @@
 {% extends "base.html" %}
-{% load static i18n wagtailcore_tags bleach_tags %}
+{% load static i18n wagtailcore_tags core_tags %}
 
 {% block fb_meta_tags %}
 	<meta property="og:type" content="website" />
 	<meta property="og:title" content="{{ page.translated_title }}" />
 	{% with description=page.translated_intro|richtext %}
-	<meta property="og:description" content="{{ description|bleach }}" />
+	<meta property="og:description" content="{{ description|clean_html_all }}" />
 	{% endwith %}
 {% endblock %}
 
diff --git a/apps/projects/templates/projects/project_page.html b/apps/projects/templates/projects/project_page.html
index 701f1109..bb65f6a9 100644
--- a/apps/projects/templates/projects/project_page.html
+++ b/apps/projects/templates/projects/project_page.html
@@ -1,11 +1,11 @@
 {% extends "base.html" %}
-{% load static i18n wagtailcore_tags wagtailimages_tags bleach_tags %}
+{% load static i18n wagtailcore_tags wagtailimages_tags core_tags %}
 
 {% block fb_meta_tags %}
     <meta property="og:type" content="article" />
     <meta property="og:title" content="{{ page.translated_title }}" />
     {% with description=page.translated_shorttext|richtext %}
-    <meta property="og:description" content="{{ description|bleach }}" />
+    <meta property="og:description" content="{{ description|clean_html_all }}" />
     {% endwith %}
     {% if page.image %}
     {% image page.image width-400 as image %}
diff --git a/changelog/8014.md b/changelog/8014.md
index 2e6a0f48..4feb07ec 100644
--- a/changelog/8014.md
+++ b/changelog/8014.md
@@ -1,3 +1,8 @@
+### Added
+
+- add templatetag 'clean_html_all' which strips all css and html tags using
+  Bleach
+
 ### Changed
 
 - update wagtail to 4.2x
@@ -6,3 +11,9 @@
 - adjust to new slug field behavior in wagtail 5.0.x
 - update wagtail to 5.1.3
 - update to wagtail 5.2.5
+- use new clean_html_all templatetag to replace djang-bleach
+- update Bleach to 6.x
+
+### Removed
+
+- removed outdated django-bleach dependency
diff --git a/contrib/transforms.py b/contrib/transforms.py
new file mode 100644
index 00000000..28c98e6b
--- /dev/null
+++ b/contrib/transforms.py
@@ -0,0 +1,17 @@
+import bleach
+from bleach.css_sanitizer import CSSSanitizer
+from django.utils.safestring import SafeText
+from django.utils.safestring import mark_safe
+
+
+def clean_html_all(text: str) -> SafeText:
+    css_sanitizer = CSSSanitizer(allowed_css_properties=[])
+    return mark_safe(
+        bleach.clean(
+            text,
+            tags={},
+            attributes={},
+            css_sanitizer=css_sanitizer,
+            strip=True,
+        )
+    )
diff --git a/pyproject.toml b/pyproject.toml
index 8948aa2c..18c4a78e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -19,9 +19,8 @@ classifiers = [
 ]
 dependencies = [
     "Django >= 3.2, < 4.3",
-    "bleach[css]",
+    "bleach[css] >= 6.0",
     "brotli",
-    "django-bleach",
     "django-cloudflare-push",
     "django-multiselectfield",
     "django_csp",
diff --git a/requirements/base.txt b/requirements/base.txt
index cf5d93f4..d9ab30ba 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -2,9 +2,8 @@
 Django==4.2.14
 wagtail==5.2.5
 
-bleach[css]==5.0.1
+bleach[css]==6.1.0
 brotli==1.1.0
-django-bleach==3.1.0
 django-cloudflare-push==0.2.2
 django_csp==3.8
 django-multiselectfield==0.1.13
diff --git a/website_wagtail/settings/base.py b/website_wagtail/settings/base.py
index e7924469..3929083c 100644
--- a/website_wagtail/settings/base.py
+++ b/website_wagtail/settings/base.py
@@ -74,7 +74,6 @@
     "django.contrib.messages",
     "django.contrib.staticfiles",
     "wagtail.contrib.settings",
-    "django_bleach",
     "taggit",
     "modelcluster",
     "wagtail",
@@ -141,13 +140,6 @@
 MEDIA_ROOT = join(BASE_DIR, "media")
 MEDIA_URL = "/media/"
 
-# Template configuration
-
-BLEACH_ALLOWED_TAGS = []
-BLEACH_ALLOWED_ATTRIBUTES = []
-BLEACH_STRIP_TAGS = True
-
-
 # Wagtail settings
 
 LOGIN_URL = "wagtailadmin_login"