fix: View expanded svg images from <img> tags to avoid js attacks (#…

…1429) * Fix #1377 * feat: expand images in `<img>` tag to avoid javascript attacks * Embed in img tags svg only * Remove canonical url display from directory listing for svg * Add test * Remove unused Media class * Change function of canonical url button * Remove superflous `} ` * Update NL locale
django-cms · Sep 30, 2023 · 421c86b · 421c86b
1 parent 964f48d
commit 421c86b
Show file tree

Hide file tree

Showing 48 changed files with 1,393 additions and 1,158 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,11 +2,13 @@
 CHANGELOG
 =========
 
-unreleased
-==========
+3.1.0 (2023-10-01)
+==================
 
 * feat: limit uploaded image area (width x height) to prevent decompression
   bombs
+* feat: Canonical URL action button now copies canonical URL to the user's
+  clipboard
 * fix: Run validators on updated files in file change view
 * fix: Update mime type if uploading file in file change view
 * fix: Do not allow to remove the file field from an uplaoded file in

diff --git a/filer/__init__.py b/filer/__init__.py
@@ -13,4 +13,4 @@
  8. Publish the release and it will automatically release to pypi
 """
 
-__version__ = '3.0.6'
+__version__ = '3.1.0'
diff --git a/filer/admin/imageadmin.py b/filer/admin/imageadmin.py
@@ -1,4 +1,6 @@
 from django import forms
+from django.shortcuts import get_object_or_404, render
+from django.urls import path
 from django.utils.translation import gettext as _
 from django.utils.translation import gettext_lazy
 
@@ -80,19 +82,24 @@ class Meta:
         model = Image
         exclude = ()
 
-    class Media:
-        css = {
-            # 'all': (settings.MEDIA_URL + 'filer/css/focal_point.css',)
-        }
-        js = (
-
-        )
-
 
 class ImageAdmin(FileAdmin):
     change_form_template = 'admin/filer/image/change_form.html'
     form = ImageAdminForm
 
+    def get_urls(self):
+        return super().get_urls() + [
+            path("expand/<int:file_id>",
+                 self.admin_site.admin_view(self.expand_view),
+                 name=f"filer_{self.model._meta.model_name}_expand_view")
+        ]
+
+    def expand_view(self, request, file_id):
+        image = get_object_or_404(self.model, pk=file_id)
+        return render(request, "admin/filer/image/expand.html", context={
+            "original_url": image.url
+        })
+
 
 if FILER_IMAGE_MODEL == 'filer.Image':
     extra_main_fields = ('author', 'default_alt_text', 'default_caption',)

diff --git a/filer/locale/ar/LC_MESSAGES/django.mo b/filer/locale/ar/LC_MESSAGES/django.mo