From e6760ce8078f11c3fc72202a6ef35cacf2f0e3ff Mon Sep 17 00:00:00 2001
From: Taka <taka@vm-linux-dev>
Date: Mon, 23 Mar 2020 10:41:57 +0000
Subject: [PATCH] Allow the "style" attribute in HTML content.

---
 asl_articles/config/app.cfg             | 8 +++++---
 asl_articles/tests/test_articles.py     | 4 ++--
 asl_articles/tests/test_publications.py | 4 ++--
 asl_articles/tests/test_publishers.py   | 4 ++--
 asl_articles/utils.py                   | 2 ++
 5 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/asl_articles/config/app.cfg b/asl_articles/config/app.cfg
index 4ba9865..0a3f85f 100644
--- a/asl_articles/config/app.cfg
+++ b/asl_articles/config/app.cfg
@@ -1,6 +1,8 @@
 [System]
 
-; Allowed HTML tags and attributes. If not specified, the lxml defaults will be used:
-;   https://github.com/lxml/lxml/blob/master/src/lxml/html/defs.py
-;HTML_ATTR_WHITELIST =
+; Allowed HTML tags (default = allow all).
 ;HTML_TAG_WHITELIST =
+
+; Allowed HTML attributes. If not specified, the lxml defaults will be used:
+;   https://github.com/lxml/lxml/blob/master/src/lxml/html/defs.py
+HTML_ATTR_WHITELIST = style
diff --git a/asl_articles/tests/test_articles.py b/asl_articles/tests/test_articles.py
index 7cb7a62..3485eb2 100644
--- a/asl_articles/tests/test_articles.py
+++ b/asl_articles/tests/test_articles.py
@@ -429,7 +429,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # create a article with HTML content
     create_article( {
-        "title": "title: <span style='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
+        "title": "title: <span onclick='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
         "subtitle": "<i>italicized subtitle</i> {}".format( replace[0] ),
         "snippet": "bad stuff here: <script>HCF</script> {}".format( replace[0] )
     }, toast_type="warning" )
@@ -449,7 +449,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # update the article with new HTML content
     edit_article( sr, {
-        "title": "<div style='...'>updated</div>"
+        "title": "<div onclick='...'>updated</div>"
     }, toast_type="warning" )
     wait_for( 2, lambda: get_search_result_names() == ["updated"] )
     assert check_toast( "warning", "Some values had HTML cleaned up.", contains=True )
diff --git a/asl_articles/tests/test_publications.py b/asl_articles/tests/test_publications.py
index 5c935bf..db2be13 100644
--- a/asl_articles/tests/test_publications.py
+++ b/asl_articles/tests/test_publications.py
@@ -448,7 +448,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # create a publication with HTML content
     create_publication( {
-        "name": "name: <span style='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
+        "name": "name: <span onclick='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
         "edition": "<i>2</i>",
         "description": "bad stuff here: <script>HCF</script> {}".format( replace[0] )
     }, toast_type="warning" )
@@ -467,7 +467,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # update the publication with new HTML content
     edit_publication( sr, {
-        "name": "<div style='...'>updated</div>"
+        "name": "<div onclick='...'>updated</div>"
     }, toast_type="warning" )
     results = get_search_results()
     assert len(results) == 1
diff --git a/asl_articles/tests/test_publishers.py b/asl_articles/tests/test_publishers.py
index 2d8a51f..34258db 100644
--- a/asl_articles/tests/test_publishers.py
+++ b/asl_articles/tests/test_publishers.py
@@ -352,7 +352,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # create a publisher with HTML content
     create_publisher( {
-        "name": "name: <span style='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
+        "name": "name: <span onclick='boo!'> <b>bold</b> <xxx>xxx</xxx> <i>italic</i> {}".format( replace[0] ),
         "description": "bad stuff here: <script>HCF</script> {}".format( replace[0] )
     }, toast_type="warning" )
 
@@ -368,7 +368,7 @@ def test_clean_html( webdriver, flask_app, dbconn ):
 
     # update the publisher with new HTML content
     edit_publisher( sr, {
-        "name": "<div style='...'>updated</div>"
+        "name": "<div onclick='...'>updated</div>"
     }, toast_type="warning" )
     results = get_search_results()
     assert len(results) == 1
diff --git a/asl_articles/utils.py b/asl_articles/utils.py
index e34f6f4..314cf7c 100644
--- a/asl_articles/utils.py
+++ b/asl_articles/utils.py
@@ -129,6 +129,8 @@ def clean_html( val, allow_tags=None, safe_attrs=None ): #pylint: disable=too-ma
         args[ "remove_unknown_tags" ] = None
     if safe_attrs is None:
         safe_attrs = _html_whitelists.get( "attrs" )
+        if safe_attrs:
+            safe_attrs.extend( lxml.html.defs.safe_attrs )
     elif safe_attrs == []:
         safe_attrs = [ "" ] # nb: this is how we remove everything :-/
     if safe_attrs: