From f78e0ff938d3371197112d5a17ee8f3688cc0285 Mon Sep 17 00:00:00 2001
From: Ozzie Isaacs <ozzie.fernandez.isaacs@googlemail.com>
Date: Thu, 9 Nov 2023 17:45:22 +0100
Subject: [PATCH] Use belach or nh3 for cleaning html (fix for #2874)

---
 cps/editbooks.py | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)
 mode change 100755 => 100644 cps/editbooks.py

diff --git a/cps/editbooks.py b/cps/editbooks.py
old mode 100755
new mode 100644
index b8f6363f..723f72a3
--- a/cps/editbooks.py
+++ b/cps/editbooks.py
@@ -29,9 +29,18 @@ from markupsafe import escape, Markup  # dependency of flask
 from functools import wraps
 
 try:
-    from lxml.html.clean import clean_html, Cleaner
+    from bleach import clean_text as clean_html
+    BLEACH = True
 except ImportError:
-    clean_html = None
+    try:
+        from nh3 import clean as clean_html
+        BLEACH = False
+    except ImportError:
+        try:
+            from lxml.html.clean import clean_html
+            BLEACH = False
+        except ImportError:
+            clean_html = None
 
 from flask import Blueprint, request, flash, redirect, url_for, abort, Response
 from flask_babel import gettext as _
@@ -992,7 +1001,10 @@ def edit_book_series_index(series_index, book):
 def edit_book_comments(comments, book):
     modify_date = False
     if comments:
-        comments = clean_html(comments)
+        if BLEACH:
+            comments = clean_html(comments, tags=None, attributes=None)
+        else:
+            comments = clean_html(comments)
     if len(book.comments):
         if book.comments[0].text != comments:
             book.comments[0].text = comments