Add a section in the config panel to configure html sanitization but still allow config.ini to force it (#2316)

* Add a section in the config panel to configure html sanitization * `HTML_SANITIZTION` in config.ini can still force sanitization regardless of the database configuration * Closes #2194
2026-02-01 04:14:25 +01:00 · 2023-06-05 19:28:55 -04:00
parent 692c4b086c
commit b89cb3cb98
3 changed files with 42 additions and 4 deletions
--- a/CTFd/admin/init.py
+++ b/CTFd/admin/init.py
@@ -48,7 +48,7 @@ from CTFd.models import (
    db,
 )
 from CTFd.utils import config as ctf_config
-from CTFd.utils import get_config, set_config
+from CTFd.utils import get_app_config, get_config, set_config
 from CTFd.utils.csv import dump_csv, load_challenges_csv, load_teams_csv, load_users_csv
 from CTFd.utils.decorators import admins_only
 from CTFd.utils.exports import background_import_ctf
@@ -190,7 +190,14 @@ def config():
    except ValueError:
        pass

-    return render_template("admin/config.html", themes=themes, **configs)
+    force_html_sanitization = get_app_config("HTML_SANITIZATION")
+
+    return render_template(
+        "admin/config.html",
+        themes=themes,
+        **configs,
+        force_html_sanitization=force_html_sanitization
+    )


@admin.route("/admin/reset", methods=["GET", "POST"])
--- a/CTFd/themes/admin/templates/configs/security.html
+++ b/CTFd/themes/admin/templates/configs/security.html
@@ -1,5 +1,28 @@
 <div role="tabpanel" class="tab-pane config-section" id="security">
+	{% set html_sanitization = "true" if html_sanitization == True else "false" %}
 	<form method="POST" autocomplete="off" class="w-100">
+		<div class="form-group">
+			<label for="html_sanitization">
+				HTML Sanitization
+				<small class="form-text text-muted">
+					Whether CTFd will attempt to sanitize HTML content from content.
+				</small>
+			</label>
+			<select class="form-control custom-select" name="html_sanitization">
+				{% if force_html_sanitization %}
+				<option>
+					Required (Disable in config.ini)
+				</option>
+				{% else %}
+				<option value="true" {% if html_sanitization=='true' %}selected{% endif %}>
+					Enabled
+				</option>
+				<option value="false" {% if html_sanitization=='false' %}selected{% endif %}>
+					Disabled
+				</option>
+				{% endif %}
+			</select>
+		</div>
 		<div class="form-group">
 			<label for="ctf_name">
 				Registration Code
--- a/CTFd/utils/config/pages.py
+++ b/CTFd/utils/config/pages.py
@@ -36,7 +36,11 @@ def format_variables(content):

 def build_html(html, sanitize=False):
    html = format_variables(html)
-    if current_app.config["HTML_SANITIZATION"] is True or sanitize is True:
+    if (
+        current_app.config["HTML_SANITIZATION"] is True
+        or bool(get_config("html_sanitization")) is True
+        or sanitize is True
+    ):
        html = sanitize_html(html)
    return html

@@ -44,7 +48,11 @@ def build_html(html, sanitize=False):
 def build_markdown(md, sanitize=False):
    html = markdown(md)
    html = format_variables(html)
-    if current_app.config["HTML_SANITIZATION"] is True or sanitize is True:
+    if (
+        current_app.config["HTML_SANITIZATION"] is True
+        or bool(get_config("html_sanitization")) is True
+        or sanitize is True
+    ):
        html = sanitize_html(html)
    return html