Allow the "style" attribute in HTML content.

asl_articles/config/app.cfg

@@ -1,6 +1,8 @@
 [System]
 
-; Allowed HTML tags and attributes. If not specified, the lxml defaults will be used:
-;   https://github.com/lxml/lxml/blob/master/src/lxml/html/defs.py
-;HTML_ATTR_WHITELIST =
+; Allowed HTML tags (default = allow all).
 ;HTML_TAG_WHITELIST =
+
+; Allowed HTML attributes. If not specified, the lxml defaults will be used:
+;   https://github.com/lxml/lxml/blob/master/src/lxml/html/defs.py
+HTML_ATTR_WHITELIST = style

asl_articles/tests/test_articles.py

@@ -429,7 +429,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # create a article with HTML content
     create_article( {
-        "title": "title: <span style='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
+        "title": "title: <span onclick='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
         "subtitle": "<i>italicized subtitle</i> {}".format( replace[0] ),
         "snippet": "bad stuff here: <script>HCF</script> {}".format( replace[0] )
     }, toast_type="warning" )
@@ -449,7 +449,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # update the article with new HTML content
     edit_article( sr, {
-        "title": "<div style='...'>updated</div>"
+        "title": "<div onclick='...'>updated</div>"
     }, toast_type="warning" )
     wait_for( 2, lambda: get_search_result_names() == ["updated"] )
     assert check_toast( "warning", "Some values had HTML cleaned up.", contains=True )

asl_articles/tests/test_publications.py

@@ -448,7 +448,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # create a publication with HTML content
     create_publication( {
-        "name": "name: <span style='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
+        "name": "name: <span onclick='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
         "edition": "<i>2</i>",
         "description": "bad stuff here: <script>HCF</script> {}".format( replace[0] )
     }, toast_type="warning" )
@@ -467,7 +467,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # update the publication with new HTML content
     edit_publication( sr, {
-        "name": "<div style='...'>updated</div>"
+        "name": "<div onclick='...'>updated</div>"
     }, toast_type="warning" )
     results = get_search_results()
     assert len(results) == 1

asl_articles/tests/test_publishers.py

@@ -352,7 +352,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # create a publisher with HTML content
     create_publisher( {
-        "name": "name: <span style='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
+        "name": "name: <span onclick='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
         "description": "bad stuff here: <script>HCF</script> {}".format( replace[0] )
     }, toast_type="warning" )
 
@@ -368,7 +368,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # update the publisher with new HTML content
     edit_publisher( sr, {
-        "name": "<div style='...'>updated</div>"
+        "name": "<div onclick='...'>updated</div>"
     }, toast_type="warning" )
     results = get_search_results()
     assert len(results) == 1

asl_articles/utils.py

@@ -129,6 +129,8 @@ def clean_html( val, allow_tags=None, safe_attrs=None ): #pylint: disable=too-ma
         args[ "remove_unknown_tags" ] = None
     if safe_attrs is None:
         safe_attrs = _html_whitelists.get( "attrs" )
+        if safe_attrs:
+            safe_attrs.extend( lxml.html.defs.safe_attrs )
     elif safe_attrs == []:
         safe_attrs = [ "" ] # nb: this is how we remove everything :-/
     if safe_attrs: