form: HTML sanitization and remove Source from CKEditor

zubeydecivelek · zubeydecivelek · commit 506c849854a4 · 2025-08-21T18:11:15.000+02:00
diff --git a/cds/modules/deposit/static/json/cds_deposit/forms/project.json b/cds/modules/deposit/static/json/cds_deposit/forms/project.json
@@ -45,9 +45,6 @@
                   "Replace",
                   "-",
                   "RemoveFormat"
-                ],
-                [
-                  "Source"
                 ]
               ],
               "disableNativeSpellChecker": false,
diff --git a/cds/modules/deposit/static/json/cds_deposit/forms/video.json b/cds/modules/deposit/static/json/cds_deposit/forms/video.json
@@ -44,9 +44,6 @@
                 "Replace",
                 "-",
                 "RemoveFormat"
-              ],
-              [
-                "Source"
               ]
             ],
             "disableNativeSpellChecker": false,
diff --git a/cds/modules/records/serializers/json.py b/cds/modules/records/serializers/json.py
@@ -32,6 +32,7 @@
     has_read_record_permission,
 )
 from ..utils import HTMLTagRemover, remove_html_tags
+from marshmallow_utils.html import sanitize_html
 
 
 class CDSJSONSerializer(JSONSerializer):
@@ -69,9 +70,10 @@ def preprocess_record(self, pid, record, links_factory=None):
                 )
 
                 # decode html entities
-                metadata["description"] = self.html_tag_remover.unescape(
-                    metadata["description"]
-                )
+                description = metadata["description"]
+                description = self.html_tag_remover.unescape(description)
+                metadata["description"] = sanitize_html(
+                    description)
                 if has_request_context():
                     metadata["videos"] = [
                         video
@@ -101,9 +103,10 @@ def preprocess_search_hit(self, pid, record_hit, links_factory=None):
                     self.html_tag_remover, title
                 )
 
-                metadata["description"] = self.html_tag_remover.unescape(
-                    metadata["description"]
-                )
+                description = metadata["description"]
+                description = self.html_tag_remover.unescape(description)
+                metadata["description"] = sanitize_html(
+                    description)
             except KeyError:
                 # ignore error if keys are missing in the metadata
                 pass
diff --git a/cds/modules/records/serializers/schemas/project.py b/cds/modules/records/serializers/schemas/project.py
@@ -20,6 +20,7 @@
 
 from invenio_jsonschemas import current_jsonschemas
 from marshmallow import Schema, fields, pre_load, post_load
+from marshmallow_utils.fields import SanitizedHTML
 
 from ....deposit.api import Project, deposit_video_resolver
 from .common import (
@@ -76,7 +77,7 @@ class ProjectSchema(StrictKeysSchema):
     _deposit = fields.Nested(ProjectDepositSchema, required=True)
     _cds = fields.Nested(_CDSSSchema, required=True)
     title = fields.Nested(TitleSchema, required=True)
-    description = fields.Str()
+    description = SanitizedHTML()
     category = fields.Str(required=True)
     type = fields.Str(required=True)
     note = fields.Str()
diff --git a/cds/modules/records/serializers/schemas/video.py b/cds/modules/records/serializers/schemas/video.py
@@ -20,7 +20,7 @@
 
 from invenio_jsonschemas import current_jsonschemas
 from marshmallow import Schema, fields, pre_load, post_load
-
+from marshmallow_utils.fields import SanitizedHTML
 from ....deposit.api import Video
 from ..fields.datetime import DateString
 from .common import (
@@ -126,7 +126,7 @@ class VideoSchema(StrictKeysSchema):
     contributors = fields.Nested(ContributorSchema, many=True, required=True)
     copyright = fields.Nested(CopyrightSchema)
     date = DateString(required=True)
-    description = fields.Str(required=True)
+    description = SanitizedHTML(required=True)
     doi = DOI()
     duration = fields.Str()
     external_system_identifiers = fields.Nested(
diff --git a/tests/unit/test_serializer.py b/tests/unit/test_serializer.py
@@ -29,6 +29,9 @@
 
 from cds.modules.deposit.api import Video
 from cds.modules.records.serializers.drupal import VideoDrupal
+from cds.modules.records.serializers.json import CDSJSONSerializer
+from cds.modules.records.api import CDSRecord
+from unittest.mock import Mock
 from cds.modules.records.serializers.smil import Smil
 from cds.modules.records.serializers.vtt import VTT
 
@@ -149,3 +152,39 @@ def test_drupal_serializer(video_record_metadata, deposit_metadata):
     data = serializer.format()["entries"][0]["entry"]
     data = {k: data[k] for k in data if k in expected}
     assert data == expected
+
+
+def test_cds_json_serializer_sanitization(video_record_metadata):
+    """Test HTML sanitization in CDSJSONSerializer."""
+    record = CDSRecord.create(video_record_metadata)
+    
+    # Add malicious HTML
+    record['description'] = '<script>alert("xss")</script>Safe content <b>bold</b>'
+    record['title']['title'] = 'Test <script>alert("title")</script> Title  <b>bold</b>'
+    
+    # Test the serializer
+    serializer = CDSJSONSerializer()
+    
+    # Create a mock PID (required by the serializer)
+    mock_pid = Mock()
+    mock_pid.pid_value = '1'
+    
+    # Test preprocess_record method
+    result = serializer.preprocess_record(mock_pid, record)
+    
+    # Check sanitization 
+    description = result['metadata']['description']
+    assert '<script>' not in description
+    assert '</script>' not in description
+    assert 'Safe content' in description
+    # Keep safe HTML tags like <b>
+    assert '<b>bold</b>' in description
+    
+    # Remove everything in title
+    title = result['metadata']['title']['title']
+    assert '<script>' not in title
+    assert '</script>' not in title
+    assert 'Test' in title and 'Title' in title
+    assert '<b>' not in title
+    
+
