From 9e6af89ae47afdedc2f45129c827b6ebdd4ac6d4 Mon Sep 17 00:00:00 2001 From: Maciej Pienczyn Date: Mon, 30 Mar 2026 16:18:11 +0200 Subject: [PATCH] fix(messages): allow data: protocol in bleach for base64 images + img width/height/style attrs Images pasted as base64 had their src stripped by bleach (only http/https allowed by default). Now data: protocol is whitelisted. Also allow width/height/style on img for resize support. Co-Authored-By: Claude Opus 4.6 (1M context) --- utils/helpers.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/utils/helpers.py b/utils/helpers.py index d3b42a5..3b74cb7 100644 --- a/utils/helpers.py +++ b/utils/helpers.py @@ -14,7 +14,8 @@ logger = logging.getLogger(__name__) # Allowed HTML tags and attributes for rich-text content (announcements, events, proceedings) _ALLOWED_TAGS = ['p', 'br', 'strong', 'em', 'b', 'i', 'a', 'ul', 'ol', 'li', 'h3', 'h4', 'blockquote', 'img'] -_ALLOWED_ATTRS = {'a': ['href', 'target', 'rel'], 'img': ['src', 'alt']} +_ALLOWED_ATTRS = {'a': ['href', 'target', 'rel'], 'img': ['src', 'alt', 'width', 'height', 'style']} +_ALLOWED_PROTOCOLS = ['http', 'https', 'data'] # data: for base64 inline images def sanitize_html(content): @@ -30,7 +31,7 @@ def sanitize_html(content): """ if not content: return content - return bleach.clean(content, tags=_ALLOWED_TAGS, attributes=_ALLOWED_ATTRS, strip=True) + return bleach.clean(content, tags=_ALLOWED_TAGS, attributes=_ALLOWED_ATTRS, protocols=_ALLOWED_PROTOCOLS, strip=True) def linkify_urls(html):