From b89cb3cb98cde8e6c82e0c01d3d2bf5bfcf4ee38 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@ctfd.io>
Date: Mon, 5 Jun 2023 19:28:55 -0400
Subject: [PATCH] Add a section in the config panel to configure html
 sanitization but still allow config.ini to force it (#2316)

* Add a section in the config panel to configure html sanitization
* `HTML_SANITIZTION` in config.ini can still force sanitization regardless of the database configuration
* Closes #2194
---
 CTFd/admin/__init__.py                        | 11 +++++++--
 .../admin/templates/configs/security.html     | 23 +++++++++++++++++++
 CTFd/utils/config/pages.py                    | 12 ++++++++--
 3 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/CTFd/admin/__init__.py b/CTFd/admin/__init__.py
index 824f8314..3d6af66a 100644
--- a/CTFd/admin/__init__.py
+++ b/CTFd/admin/__init__.py
@@ -48,7 +48,7 @@ from CTFd.models import (
     db,
 )
 from CTFd.utils import config as ctf_config
-from CTFd.utils import get_config, set_config
+from CTFd.utils import get_app_config, get_config, set_config
 from CTFd.utils.csv import dump_csv, load_challenges_csv, load_teams_csv, load_users_csv
 from CTFd.utils.decorators import admins_only
 from CTFd.utils.exports import background_import_ctf
@@ -190,7 +190,14 @@ def config():
     except ValueError:
         pass
 
-    return render_template("admin/config.html", themes=themes, **configs)
+    force_html_sanitization = get_app_config("HTML_SANITIZATION")
+
+    return render_template(
+        "admin/config.html",
+        themes=themes,
+        **configs,
+        force_html_sanitization=force_html_sanitization
+    )
 
 
 @admin.route("/admin/reset", methods=["GET", "POST"])
diff --git a/CTFd/themes/admin/templates/configs/security.html b/CTFd/themes/admin/templates/configs/security.html
index 387e4299..79a1f0a2 100644
--- a/CTFd/themes/admin/templates/configs/security.html
+++ b/CTFd/themes/admin/templates/configs/security.html
@@ -1,5 +1,28 @@
 <div role="tabpanel" class="tab-pane config-section" id="security">
+	{% set html_sanitization = "true" if html_sanitization == True else "false" %}
 	<form method="POST" autocomplete="off" class="w-100">
+		<div class="form-group">
+			<label for="html_sanitization">
+				HTML Sanitization
+				<small class="form-text text-muted">
+					Whether CTFd will attempt to sanitize HTML content from content.
+				</small>
+			</label>
+			<select class="form-control custom-select" name="html_sanitization">
+				{% if force_html_sanitization %}
+				<option>
+					Required (Disable in config.ini)
+				</option>
+				{% else %}
+				<option value="true" {% if html_sanitization=='true' %}selected{% endif %}>
+					Enabled
+				</option>
+				<option value="false" {% if html_sanitization=='false' %}selected{% endif %}>
+					Disabled
+				</option>
+				{% endif %}
+			</select>
+		</div>
 		<div class="form-group">
 			<label for="ctf_name">
 				Registration Code
diff --git a/CTFd/utils/config/pages.py b/CTFd/utils/config/pages.py
index 40c505e0..50a66520 100644
--- a/CTFd/utils/config/pages.py
+++ b/CTFd/utils/config/pages.py
@@ -36,7 +36,11 @@ def format_variables(content):
 
 def build_html(html, sanitize=False):
     html = format_variables(html)
-    if current_app.config["HTML_SANITIZATION"] is True or sanitize is True:
+    if (
+        current_app.config["HTML_SANITIZATION"] is True
+        or bool(get_config("html_sanitization")) is True
+        or sanitize is True
+    ):
         html = sanitize_html(html)
     return html
 
@@ -44,7 +48,11 @@ def build_html(html, sanitize=False):
 def build_markdown(md, sanitize=False):
     html = markdown(md)
     html = format_variables(html)
-    if current_app.config["HTML_SANITIZATION"] is True or sanitize is True:
+    if (
+        current_app.config["HTML_SANITIZATION"] is True
+        or bool(get_config("html_sanitization")) is True
+        or sanitize is True
+    ):
         html = sanitize_html(html)
     return html