sanitize headlines

aircox/models/page.py

@@ -9,6 +9,7 @@ from django.utils.html import format_html
 from django.utils.translation import ugettext_lazy as _
 from django.utils.functional import cached_property
 
+import bleach
 from ckeditor.fields import RichTextField
 from filer.fields.image import FilerImageField
 from model_utils.managers import InheritanceQuerySet
@@ -129,7 +130,8 @@ class Page(models.Model):
     def headline(self):
         if not self.content:
             return ''
-        headline = headline_re.search(self.content)
+        content = bleach.clean(self.content)
+        headline = headline_re.search(content)
         return headline.groupdict()['headline'] if headline else ''
 
     @classmethod

aircox/templates/aircox/page_list.html

@@ -72,7 +72,7 @@
 </section>
 
 {% if is_paginated %}
-<hr>
+<hr/>
 {% update_query request.GET.copy page=None as GET %}
 {% with GET.urlencode as GET %}
 <nav class="pagination is-centered" role="pagination" aria-label="{% trans "pagination" %}">

aircox/templates/aircox/widgets/page_item.html

@@ -51,9 +51,7 @@ Context variables:
 
         {% if has_headline|default_if_none:True %}
         <div class="headline">
-        {% block headline %}
+        {% block headline %}{{ object.headline }}{% endblock %}
-        {{ object.headline|safe }}
-        {% endblock %}
         </div>
         {% endif %}
     </div>

requirements.txt

@@ -10,6 +10,7 @@ tzlocal>=1.4
 mutagen>=1.37
 pyyaml>=3.12
 
+bleach>=3.1.0
 django_filter>=2.2.0
 django-taggit>=1.1.0
 django-filer>=1.5.0