start towards #72. Added nh3 and fixed package description XSS attack

epdb/views.py

@@ -10,6 +10,7 @@ from django.urls import reverse
 from django.views.decorators.csrf import csrf_exempt
 from envipy_additional_information import NAME_MAPPING
 from oauth2_provider.decorators import protected_resource
+import nh3
 
 from utilities.chem import FormatConverter, IndigoUtils
 from utilities.decorators import package_permission_required
@@ -390,9 +391,9 @@ def packages(request):
                 return HttpResponseBadRequest()
         else:
             package_name = request.POST.get("package-name")
-            package_description = request.POST.get(
+            package_description = nh3.clean(request.POST.get(
                 "package-description", s.DEFAULT_VALUES["description"]
-            )
+            ), tags=s.ALLOWED_HTML_TAGS)
 
             created_package = PackageManager.create_package(
                 current_user, package_name, package_description
@@ -1019,7 +1020,7 @@ def package(request, package_uuid):
                 return HttpResponseBadRequest()
 
         new_package_name = request.POST.get("package-name")
-        new_package_description = request.POST.get("package-description")
+        new_package_description = nh3.clean(request.POST.get("package-description"), tags=s.ALLOWED_HTML_TAGS)
 
         grantee_url = request.POST.get("grantee")
         read = request.POST.get("read") == "on"