chore: html validation (#2970)

* chore: changed api serializers * chore: state status code * chore: removed sorted keys
2024-06-14 14:31:34 +00:00 · 2023-12-05 13:39:09 +05:30 · 2023-12-05 13:39:09 +05:30 · 25b7e22b70
commit 25b7e22b70
parent a36aa4d093
9 changed files with 47 additions and 6 deletions
--- a/apiserver/plane/api/serializers/cycle.py
+++ b/apiserver/plane/api/serializers/cycle.py
@ -30,6 +30,11 @@ class CycleSerializer(BaseSerializer):
        model = Cycle
        fields = "__all__"
        read_only_fields = [
+            "id",
+            "created_at",
+            "updated_at",
+            "created_by",
+            "updated_by",
            "workspace",
            "project",
            "owned_by",
--- a/apiserver/plane/api/serializers/issue.py
+++ b/apiserver/plane/api/serializers/issue.py
@ -1,3 +1,6 @@
+from lxml import html
+
+
 # Django imports
 from django.utils import timezone

@ -43,7 +46,6 @@ class IssueSerializer(BaseSerializer):

    class Meta:
        model = Issue
-        fields = "__all__"
        read_only_fields = [
            "id",
            "workspace",
@ -53,6 +55,10 @@ class IssueSerializer(BaseSerializer):
            "created_at",
            "updated_at",
        ]
+        exclude = [
+            "description",
+            "description_stripped",
+        ]

    def validate(self, data):
        if (
@ -62,6 +68,15 @@ class IssueSerializer(BaseSerializer):
        ):
            raise serializers.ValidationError("Start date cannot exceed target date")
        
+        try:
+            if(data.get("description_html", None) is not None):
+                parsed = html.fromstring(data["description_html"])
+                parsed_str = html.tostring(parsed, encoding='unicode')
+                data["description_html"] = parsed_str
+            
+        except Exception as e:
+            raise serializers.ValidationError(f"Invalid HTML: {str(e)}")
+
        # Validate assignees are from project
        if data.get("assignees", []):
            data["assignees"] = ProjectMember.objects.filter(
@ -292,7 +307,6 @@ class IssueCommentSerializer(BaseSerializer):

    class Meta:
        model = IssueComment
-        fields = "__all__"
        read_only_fields = [
            "id",
            "workspace",
@ -303,6 +317,21 @@ class IssueCommentSerializer(BaseSerializer):
            "created_at",
            "updated_at",
        ]
+        exclude = [
+            "comment_stripped",
+            "comment_json",
+        ]
+
+    def validate(self, data):
+        try:
+            if(data.get("comment_html", None) is not None):
+                parsed = html.fromstring(data["comment_html"])
+                parsed_str = html.tostring(parsed, encoding='unicode')
+                data["comment_html"] = parsed_str
+            
+        except Exception as e:
+            raise serializers.ValidationError(f"Invalid HTML: {str(e)}")
+        return data


 class IssueActivitySerializer(BaseSerializer):
--- a/apiserver/plane/api/serializers/project.py
+++ b/apiserver/plane/api/serializers/project.py
@ -21,6 +21,7 @@ class ProjectSerializer(BaseSerializer):
        fields = "__all__"
        read_only_fields = [
            "id",
+            'emoji',
            "workspace",
            "created_at",
            "updated_at",
--- a/apiserver/plane/api/serializers/state.py
+++ b/apiserver/plane/api/serializers/state.py
@ -16,6 +16,11 @@ class StateSerializer(BaseSerializer):
        model = State
        fields = "__all__"
        read_only_fields = [
+            "id",
+            "created_by",
+            "updated_by",
+            "created_at",
+            "updated_at",
            "workspace",
            "project",
        ]
--- a/apiserver/plane/api/views/state.py
+++ b/apiserver/plane/api/views/state.py
@ -64,7 +64,7 @@ class StateAPIEndpoint(BaseAPIView):
        )

        if state.default:
-            return Response({"error": "Default state cannot be deleted"}, status=False)
+            return Response({"error": "Default state cannot be deleted"}, status=status.HTTP_400_BAD_REQUEST)

        # Check for any issues in the state
        issue_exist = Issue.issue_objects.filter(state=state_id).exists()
--- a/apiserver/plane/app/views/state.py
+++ b/apiserver/plane/app/views/state.py
@ -77,7 +77,7 @@ class StateViewSet(BaseViewSet):
        )

        if state.default:
-            return Response({"error": "Default state cannot be deleted"}, status=False)
+            return Response({"error": "Default state cannot be deleted"}, status=status.HTTP_400_BAD_REQUEST)

        # Check for any issues in the state
        issue_exist = Issue.issue_objects.filter(state=pk).exists()
--- a/apiserver/plane/bgtasks/webhook_task.py
+++ b/apiserver/plane/bgtasks/webhook_task.py
@ -109,7 +109,7 @@ def webhook_task(self, webhook, slug, event, event_data, action):
        if webhook.secret_key:
            hmac_signature = hmac.new(
                webhook.secret_key.encode("utf-8"),
-                json.dumps(payload, sort_keys=True).encode("utf-8"),
+                json.dumps(payload).encode("utf-8"),
                hashlib.sha256,
            )
            signature = hmac_signature.hexdigest()
--- a/apiserver/plane/utils/issue_filters.py
+++ b/apiserver/plane/utils/issue_filters.py
@ -63,7 +63,7 @@ def date_filter(filter, date_term, queries):
                        duration=int(digit),
                        subsequent=date_query[1],
                        term=term,
-                        date_filter="created_at__date",
+                        date_filter=date_term,
                        offset=date_query[2],
                    )
            else:
--- a/apiserver/requirements/base.txt
+++ b/apiserver/requirements/base.txt
@ -38,3 +38,4 @@ beautifulsoup4==4.12.2
 dj-database-url==2.1.0
 posthog==3.0.2
 cryptography==41.0.5
+lxml==4.9.3