From faecff95572ba2be3d9c11bc95d765f2724cfd18 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Aug 31 2015 12:39:38 +0000
Subject: Adjust the clean_input method to allow kicking out some of the allowed tags


This way, we can block for certain field tags that may be otherwise
allowed

---

diff --git a/pagure/lib/__init__.py b/pagure/lib/__init__.py
index 110f551..b1c24c5 100644
--- a/pagure/lib/__init__.py
+++ b/pagure/lib/__init__.py
@@ -2380,20 +2380,25 @@ def filter_img_src(name, value):
     return False
 
 
-def clean_input(text):
+def clean_input(text, ignore=None):
     """ For a given html text, escape everything we do not want to support
     to avoid potential security breach.
     """
+    if ignore and not isinstance(ignore, (tuple, set, list)):
+        ignore = [ignore]
+
     attrs = bleach.ALLOWED_ATTRIBUTES
-    attrs['img'] = filter_img_src
-    return bleach.clean(
-        text,
-        tags=bleach.ALLOWED_TAGS + [
-            'p', 'br', 'div', 'h1', 'h2', 'h3', 'table', 'td', 'tr', 'th',
-            'col', 'tbody', 'pre', 'img', 'hr',
-        ],
-        attributes=attrs,
-    )
+    if ignore and 'img' not in ignore:
+        attrs['img'] = filter_img_src
+
+    tags = bleach.ALLOWED_TAGS + [
+        'p', 'br', 'div', 'h1', 'h2', 'h3', 'table', 'td', 'tr', 'th',
+        'col', 'tbody', 'pre', 'img', 'hr',
+    ]
+    if ignore:
+        tags = list(set(tags).difference(set(ignore)))
+
+    return bleach.clean(text, tags=tags, attributes=attrs)
 
 
 def could_be_text(text):