From d156c81a66d1f556fc86d8c9c6794bf5bf2ce5e8 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Jun 19 2019 10:32:38 +0000
Subject: Change the way we sanitize the blamed view


We used to sanitize the entire content of the filter blame_loc which
builds the html table with the git blame view.
This sanitization removes all src in img tag that do not point to this
pagure instance, in other words, it removes all the avatars making the
page not really nice to see.

In this commit, we clean each line in the file that is being blamed
while building the html table instead of cleaning the entire table at
once.

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/templates/blame.html b/pagure/templates/blame.html
index 9784a3d..d97c43b 100644
--- a/pagure/templates/blame.html
+++ b/pagure/templates/blame.html
@@ -152,7 +152,7 @@
     </div>
 
     {% autoescape false %}
-    {{ content | blame_loc(repo, username, blame) | noJS | safe }}
+    {{ content | blame_loc(repo, username, blame) }}
     {% endautoescape %}
   </div>
 {% else %}
diff --git a/pagure/ui/filters.py b/pagure/ui/filters.py
index 448eb98..1168963 100644
--- a/pagure/ui/filters.py
+++ b/pagure/ui/filters.py
@@ -476,7 +476,7 @@ def blame_loc(loc, repo, username, blame):
             )
         )
         output.append(
-            '<td class="cell2"><pre><code>%s</code></pre></td>' % line
+            '<td class="cell2"><pre><code>%s</code></pre></td>' % no_js(line)
         )
         output.append("</tr>")