Allow links in sanitation

Import and use GIT_REPO_URL in the nihongo module to render a clickable GitHub link for the Indev section. Revamp the sanitise filter: allow <a> tags with href/target/title, introduce ALLOWED_TAGS/ALLOWED_ATTRIBUTES, add re import, and post-process anchors to inject rel="noopener noreferrer" (case-insensitive). Also register the sanitise function as a Jinja2 template filter.

Author: Rishi-Sahasrabuddhe

lingual/modules/nihongo/routes.py

@@ -2,7 +2,7 @@
 import re
 from flask import Blueprint, abort, current_app, flash, jsonify, redirect, render_template, request, session, url_for
 from flask_login import current_user, login_required
-from lingual import db
+from lingual import db, GIT_REPO_URL
 from lingual.modules.nihongo.utils.kanji_processor import Kanji
 from lingual.modules.nihongo.utils import quiz_utils
 from lingual.modules.nihongo.utils.grammar_lesson_processor import get_processor
@@ -87,7 +87,7 @@ def home():
     indev = HomeSection("Indev")
     indev.add_items(
         ItemParagraph(
-            "These items are currently under development. If you encounter any issues, please make an issue on our GitHub Page!"
+            f"These items are currently under development. If you encounter any issues, please make an issue on our <a href='{GIT_REPO_URL}' target='_blank'>GitHub Page</a>!"
         ),
         ItemBox(
             title="Particles",

lingual/utils/filters.py

@@ -2,20 +2,31 @@
 Adds filters for Jinja2 templates for more customisable rendering of content
 """
 
+import re
 import bleach
 
+ALLOWED_TAGS = ["b", "i", "strong", "em", "p", "br", "a"]
+ALLOWED_ATTRIBUTES = {"a": ["href", "target", "title"]}
+
 def sanitise(value):
-    """ Sanitises input to prevent XSS attacks, allowing only basic formatting tags. """
-    return bleach.clean(
-        value,
-        tags=["b", "i", "strong", "em", "p", "br"],
-        attributes={},
-        strip=True
+    """Sanitise input to prevent XSS attacks, while preserving basic formatting and safe links."""
+    # Use bleach to clean the input value, allowing only specified tags and attributes, and stripping out any disallowed tags
+    cleaned = bleach.clean(value, tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES, strip=True)
+
+    # Regex sub generated by AI
+    return re.sub(
+        r'<a\b([^>]*)>',
+        # If the anchor tag has an href attribute, add rel="noopener noreferrer" to it
+        lambda match: f'{match.group(0)[:-1]} rel="noopener noreferrer">' if "href=" in match.group(1).lower() else match.group(0),
+        cleaned,
+        flags=re.IGNORECASE, # Make the regex case-insensitive to match 'href' in any case (e.g., HREF, Href, etc.)
     )
 
 def init_app(app):
+    # Initialise the sanitise filter for Jinja2 templates
     @app.template_filter("sanitise")
     def _sanitise_filter(value):
+        # Sanitise the input value using the sanitise function defined above
         return sanitise(value)
 
     return _sanitise_filter