Merge branch 'dev' into v.3.6.x

.gitignore

@@ -26,6 +26,10 @@ docs/locales/**/*.mo
 # Node modules
 /node_modules
 
+# Addons
+/g3w-admin/addons
+/g3w-admin/plugins
+
 # Bower components
 /g3w-admin/core/static/bower_components/
 /g3w-admin/core/static/bower_components

README.md

@@ -16,7 +16,7 @@ Software releases follow theese main branches as described in the compatibility
 | Branch     | Python         | Django         | QGIS          | [client] | First release | Status         |
 |------------|----------------|----------------|---------------|----------|---------------|----------------|
 | [dev]      | 3.10           | 3.2            | 3.28          | dev      | Unreleased    | ⚠️️ Unstable    |
-| [v.3.6.x]  | 3.10           | 3.2            | 3.28          | 3.8      | May 2023      | 🪲️ Bug fixing  |
+| [v.3.6.x]  | 3.10           | 3.2            | 3.28          | 3.8.1    | May 2023      | 🪲️ Bug fixing  |
 | [v.3.5.x]  | 3.10           | 2.2            | 3.22          | 3.7      | Nov 2022      | 🪲️ Bug fixing  |
 | [v.3.4.x]  | 3.8            | 2.2            | 3.22          | 3.4      | Mar 2022      | 🚨 End of Life |
 | [v.3.3.x]  | 3.6            | 2.2            | 3.16          | 3.3      | Sep 2021      | 🚨 End of Life | 

g3w-admin/base/settings/base.py

@@ -73,6 +73,7 @@
     'bx_py_utils',  # required by huey_monitor
     'huey_monitor',
     'about',
+    'django_bleach',
 ]
 
 G3WADMIN_APPS = [
@@ -330,5 +331,17 @@
 # Custom token session client cookie name
 G3W_CLIENT_COOKIE_SESSION_TOKEN = 'g3wclientsessiontoken'
 
+# BLEACH SETTINGS
+# ----------------
+# Which HTML tags are allowed
+BLEACH_ALLOWED_TAGS = ['p', 'b', 'i', 'u', 'em', 'strong', 'a', 'br', 'table', 'tr', 'td', 'th', 'b', 'ul', 'li', 'ol',
+                       'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'pre', 'blockquote', 'tbody', 'theader', 'tfooter', 'span']
+BLEACH_STRIP_TAGS = True
+BLEACH_ALLOWED_ATTRIBUTES = ['href', 'title', 'style', 'src']
+BLEACH_ALLOWED_STYLES = [
+    'background-color', 'color', 'font-size'
+]
+BLEACH_STRIP_COMMENTS = True
+
 # For reverse proxy
 SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

g3w-admin/core/forms.py

@@ -12,6 +12,7 @@
 from crispy_forms.bootstrap import AppendedText, PrependedText
 from modeltranslation.forms import TranslationModelForm
 from guardian.shortcuts import get_objects_for_user
+from django_bleach.forms import BleachField
 from .utils.forms import crispyBoxMacroGroups
 from usersmanage.utils import get_fields_by_user, crispyBoxACL, userHasGroups, get_users_for_object
 from usersmanage.forms import G3WACLForm, UsersChoiceField
@@ -24,6 +25,7 @@ class GroupForm(TranslationModelForm, FileFormMixin, G3WFormMixin, G3WRequestFor
     """Group form."""
 
     propagate = True
+    description = BleachField(required=False)
 
     def __init__(self, *args, **kwargs):
         super(GroupForm, self).__init__(*args, **kwargs)
@@ -207,6 +209,12 @@ def save(self, commit=True):
 class GeneralSuiteDataForm(TranslationModelForm, FileFormMixin, ModelForm):
     """General suite data form."""
     suite_logo = UploadedFileField(required=False)
+    home_description = BleachField(required=False)
+    about_description = BleachField(required=False)
+    groups_map_description = BleachField(required=False)
+    login_description = BleachField(required=False)
+    credits = BleachField(required=False)
+
 
     def __init__(self, *args, **kwargs):
         super(GeneralSuiteDataForm, self).__init__(*args, **kwargs)
@@ -349,6 +357,8 @@ class MacroGroupForm(TranslationModelForm, FileFormMixin, G3WFormMixin, ModelFor
                                     queryset=User.objects.filter(groups__name__in=[G3W_EDITOR1])
                                     .order_by('last_name'), required=False)
 
+    description = BleachField(required=False)
+
     def __init__(self, *args, **kwargs):
 
         if 'editor_users' in kwargs['initial']:

g3w-admin/core/templates/core/generalsuitedata_form.html

@@ -30,6 +30,5 @@ <h4><i class="icon fa fa-ban"></i> {% trans 'Alert' %}!</h4>
     {% crispy form %}
     {% g3wadmin_add_button_form%}
 </form>
-{% include 'core/django_file_form/upload_template.html' %}
 
 {% endblock %}

g3w-admin/editing/api/base/views.py

@@ -34,6 +34,8 @@
 
 from qgis.PyQt.QtCore import QDateTime, QDate, QTime, QVariant, NULL
 
+import bleach
+
 import re
 import logging
 
@@ -260,6 +262,7 @@ def save_vector_data(self, metadata_layer, post_layer_data, has_transactions, po
                         for qgis_field in qgis_layer.fields():
 
                             field_idx = qgis_layer.fields().indexFromName(qgis_field.name())
+                            options = qgis_layer.editorWidgetSetup(field_idx).config()
                             # Look for dataprovider default clause/value:
                             # only for fields no pk with defaultValueClause by provider
                             # and NULL value into feature on new add feature
@@ -282,8 +285,6 @@ def save_vector_data(self, metadata_layer, post_layer_data, has_transactions, po
                                 else:
                                     qtype = QTime
 
-                                options = qgis_layer.editorWidgetSetup(field_idx).config()
-
                                 if 'field_iso_format' in options and not options['field_iso_format']:
                                     if qgis_field.name() in geojson_feature['properties'] and \
                                             geojson_feature['properties'][qgis_field.name()]:
@@ -323,6 +324,23 @@ def save_vector_data(self, metadata_layer, post_layer_data, has_transactions, po
                                     feature.setAttribute(qgis_field.name(), NULL)
                                     numeric_nullable_field_values[qgis_field.name()] = NULL
 
+                            # For fields with UseHtml options, filter content with bleach
+                            # -----------------------------------------------------------
+                            elif 'UseHtml' in options and options['UseHtml'] == '1':
+                                css_sanitizer = bleach.css_sanitizer.CSSSanitizer(
+                                    allowed_css_properties=settings.BLEACH_ALLOWED_STYLES)
+                                feature.setAttribute(qgis_field.name(),
+                                                     bleach.clean(
+                                                         geojson_feature['properties'][qgis_field.name()],
+                                                         tags=settings.BLEACH_ALLOWED_TAGS,
+                                                         attributes=settings.BLEACH_ALLOWED_ATTRIBUTES,
+                                                         strip=settings.BLEACH_STRIP_TAGS,
+                                                         css_sanitizer=css_sanitizer
+                                                     )
+                                                 )
+
+
+
 
 
                         # Call validator!

g3w-admin/qdjango/forms/messages.py

@@ -15,6 +15,7 @@
 from crispy_forms.helper import FormHelper
 from crispy_forms.layout import Layout, Div, HTML, Row, Field
 from crispy_forms.bootstrap import PrependedText
+from django_bleach.forms import BleachField
 from core.mixins.forms import G3WRequestFormMixin, G3WFormMixin, G3WProjectFormMixin, G3WGroupFormMixin
 from qdjango.models import Message
 
@@ -24,6 +25,8 @@ class MessageForm(G3WFormMixin, G3WRequestFormMixin, G3WGroupFormMixin, G3WProje
     Form for project message
     """
 
+    body = BleachField()
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.helper = FormHelper(self)

g3w-admin/qdjango/forms/projects.py

@@ -20,6 +20,7 @@
 from django_file_form.forms import FileFormMixin, UploadedFileField
 from guardian.shortcuts import get_objects_for_user
 from modeltranslation.forms import TranslationModelForm
+from django_bleach.forms import BleachField
 from usersmanage.forms import G3WACLForm, label_users
 from usersmanage.utils import (crispyBoxACL, get_fields_by_user,
                                get_groups_for_object,
@@ -157,6 +158,8 @@ class QdjangoProjectForm(TranslationModelForm, QdjangoProjectFormMixin, G3WFormM
     authentication_password = forms.CharField(
         label=_("Password"), required=False, widget=forms.PasswordInput())
 
+    description = BleachField(required=False)
+
     def __init__(self, *args, **kwargs):
 
         if 'instance' in kwargs and hasattr(kwargs['instance'], 'url_alias'):

g3w-admin/qdjango/templates/qdjango/project_form.html

@@ -72,5 +72,4 @@ <h4><i class="icon fa fa-ban"></i> {% trans 'Alert' %}!</h4>
             {% crispy form %}
             {% g3wadmin_add_button_form %}
         </form>
-        {% include 'core/django_file_form/upload_template.html' %}
 {% endblock %}

g3w-admin/qdjango/tests/test_forms.py

@@ -219,6 +219,7 @@ def test_qdjango_project_form(self):
         })
 
         form = GroupForm(request=self.request, data=form_data, instance=self.project_group, initial=initial_form_data)
+        print (form.errors)
         self.assertTrue(form.is_valid())
         form.save()
 

requirements.txt

@@ -19,6 +19,7 @@ django-ordered-model==3.3.0
 django-ajax-selects==2.2.0
 django-modeltranslation==0.17.5
 django-filter
+django-bleach
 pathlib2
 lxml
 psycopg2-binary