[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/utilities/chem.py
+++ b/utilities/chem.py
@ -255,6 +255,30 @@ class FormatConverter(object):
        except Exception:
            return False

+    @staticmethod
+    def is_valid_smarts(smarts: str) -> bool:
+        """
+        Checks whether a given string is a valid SMARTS pattern.
+
+        Parameters
+        ----------
+        smarts : str
+            The SMARTS string to validate.
+
+        Returns
+        -------
+        bool
+            True if the SMARTS string is valid, False otherwise.
+        """
+        if not isinstance(smarts, str) or not smarts.strip():
+            return False
+
+        try:
+            mol = Chem.MolFromSmarts(smarts)
+            return mol is not None
+        except Exception:
+            return False
+
    @staticmethod
    def apply(
        smiles: str,