diff --git a/src/strass/strass_app/forms.py b/src/strass/strass_app/forms.py
index e61e6d7a3a8f7655605483e75dc801c5c9435b83..41ca734dccd09f3c9e55db92cdbdebf534915b48 100644
--- a/src/strass/strass_app/forms.py
+++ b/src/strass/strass_app/forms.py
@@ -27,7 +27,7 @@ from django.utils.translation import gettext_lazy as _, gettext, ngettext
from language_override.translation import gettext_lazy as ogettext
from live_settings import live_settings
-from strass_app import models, business_logic, misc, data_io
+from strass_app import models, business_logic, misc, data_io, utils
from strass_app.custom_layout_object import Formset
from strass_app.templatetags.strass_tags import markdown
from strass_app.utils import get_email_backend, validate_multiple_email, safe_pdf
@@ -350,6 +350,7 @@ class CandidateForm(ModelFormWithReadOnly):
del self.fields['cv']
if not live_settings.motivation_enabled__bool:
del self.fields['motivation']
+ self.fields['motivation'].help_text = utils.use_markdown_or_plain_text_message
def clean(self):
cleaned_data = super().clean()
@@ -551,6 +552,11 @@ class AppSettingsForm(forms.Form):
help_text=_("AppSettingsForm.motivation_enabled.help_text"),
required=False,
)
+ markdown_enabled = forms.BooleanField(
+ label=_("AppSettingsForm.markdown_enabled.label"),
+ help_text=_("AppSettingsForm.markdown_enabled.help_text"),
+ required=False,
+ )
language_override_autofill_enabled = forms.BooleanField(
label=_("AppSettingsForm.language_override_autofill_enabled.label"),
help_text=_("AppSettingsForm.language_override_autofill_enabled.help_text"),
@@ -597,6 +603,7 @@ class AppSettingsForm(forms.Form):
initial["plausible_data_domain"] = live_settings.plausible_data_domain
initial["cv_enabled"] = live_settings.cv_enabled__bool
initial["motivation_enabled"] = live_settings.motivation_enabled__bool
+ initial["markdown_enabled"] = live_settings.markdown_enabled__bool
initial["language_override_autofill_enabled"] = live_settings.language_override_autofill_enabled__bool
super().__init__(initial=initial, *args, **kwargs)
if self.settings:
@@ -718,6 +725,10 @@ class AppSettingsForm(forms.Form):
live_settings.cv_enabled = self.cleaned_data["cv_enabled"]
except KeyError:
pass
+ try:
+ live_settings.markdown_enabled = self.cleaned_data["markdown_enabled"]
+ except KeyError:
+ pass
try:
live_settings.language_override_autofill_enabled = self.cleaned_data["language_override_autofill_enabled"]
except KeyError:
diff --git a/src/strass/strass_app/locale/en/LC_MESSAGES/django.po b/src/strass/strass_app/locale/en/LC_MESSAGES/django.po
index 8776558c09f715d68b2eb4fcb74db497c6b837dc..6798b5673e49554ab2091271009e76468c52063f 100644
--- a/src/strass/strass_app/locale/en/LC_MESSAGES/django.po
+++ b/src/strass/strass_app/locale/en/LC_MESSAGES/django.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-12 17:57+0100\n"
+"POT-Creation-Date: 2025-02-12 18:54+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -508,6 +508,16 @@ msgid "AppSettingsForm.motivation_enabled.help_text"
msgstr ""
"When enabled, a motivation letter is required to submit an application."
+msgid "AppSettingsForm.markdown_enabled.label"
+msgstr "Markdown enabled"
+
+msgid "AppSettingsForm.markdown_enabled.help_text"
+msgstr ""
+"Applicable to the entire application. If disabled, the content will be "
+"displayed as plain text. Markdown can be used for code injection attacks. "
+"Although the application has been protected against this, the feature can "
+"still be disabled in case of suspicion."
+
msgid "AppSettingsForm.language_override_autofill_enabled.label"
msgstr "Debug and autofill language override module"
@@ -1312,9 +1322,6 @@ msgstr ""
msgid "Candidate.motivation.verbose_name"
msgstr "Motivation letter"
-msgid "Candidate.motivation.help_text"
-msgstr "You can use markdown here."
-
msgid "Candidate.cv.verbose_name"
msgstr "Resume"
@@ -2561,6 +2568,12 @@ msgstr ""
msgid "The email address \"%(mail)s\" is invalid."
msgstr ""
+msgid "You can use markdown here."
+msgstr ""
+
+msgid "Write in plain text here."
+msgstr "Write in plain text here (no html, Markdown, ...)."
+
#, python-format
msgid ""
"MIME type \"%(mime_type)s\" is not allowed. Allowed MIME types are: "
diff --git a/src/strass/strass_app/locale/fr/LC_MESSAGES/django.po b/src/strass/strass_app/locale/fr/LC_MESSAGES/django.po
index eb5bcaa4894069c1269b7f6c39402b74f58e9ed3..f88d736dd13f6f0c62ff6411f54934ba8634f163 100644
--- a/src/strass/strass_app/locale/fr/LC_MESSAGES/django.po
+++ b/src/strass/strass_app/locale/fr/LC_MESSAGES/django.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-12 17:57+0100\n"
+"POT-Creation-Date: 2025-02-12 18:54+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
@@ -541,6 +541,16 @@ msgstr ""
"Une lettre de motivation doit-elle être écrite pour soumettre une "
"candidature ?"
+msgid "AppSettingsForm.markdown_enabled.label"
+msgstr "Markdown activé"
+
+msgid "AppSettingsForm.markdown_enabled.help_text"
+msgstr ""
+"Valable pour l'ensemble de l'application. Si désactivé alors les contenus "
+"seront affichés comme du texte simple. Le markdown peut être utilisé pour "
+"des attaques par injection de code, l'application à été protégé contre, mais "
+"la fonctionnalité peut tout de même être désactivée en cas de suspicion."
+
msgid "AppSettingsForm.language_override_autofill_enabled.label"
msgstr ""
"Activer le mode debug, remplir automatiquement le module de substitution "
@@ -1367,9 +1377,6 @@ msgstr ""
msgid "Candidate.motivation.verbose_name"
msgstr "Lettre de motivation"
-msgid "Candidate.motivation.help_text"
-msgstr "Possibilité d'écrire en markdown."
-
msgid "Candidate.cv.verbose_name"
msgstr "CV"
@@ -2679,6 +2686,12 @@ msgstr "Aucune action sélectionnée"
msgid "The email address \"%(mail)s\" is invalid."
msgstr "L'adresse de courriel \"%(mail)s\" est invalide."
+msgid "You can use markdown here."
+msgstr "Vous pouvez écrire en markdown."
+
+msgid "Write in plain text here."
+msgstr "Le contenu doit être du texte simple (pas de html, Markdown, ...)."
+
#, python-format
msgid ""
"MIME type \"%(mime_type)s\" is not allowed. Allowed MIME types are: "
diff --git a/src/strass/strass_app/migrations/0003_auto_20201028_1803.py b/src/strass/strass_app/migrations/0003_auto_20201028_1803.py
index f4677b4ec7b8608f5107f9a32ca581ff5eb0ab44..d5745444c90c285625623dd6b3f6aa3517eb6f7c 100644
--- a/src/strass/strass_app/migrations/0003_auto_20201028_1803.py
+++ b/src/strass/strass_app/migrations/0003_auto_20201028_1803.py
@@ -22,6 +22,7 @@ def migration_code(apps, schema_editor):
set_default_live_setting("show_key_date_after_call", True)
set_default_live_setting("cv_enabled", True)
set_default_live_setting("motivation_enabled", True)
+ set_default_live_setting("markdown_enabled", True)
set_default_live_setting("show_documentation_link", True)
diff --git a/src/strass/strass_app/models.py b/src/strass/strass_app/models.py
index d7af7bcc51aad96c5b78f94b21306891229d21e9..37c551512cac1ddceee79792115462b21786e102 100644
--- a/src/strass/strass_app/models.py
+++ b/src/strass/strass_app/models.py
@@ -564,7 +564,6 @@ class Candidate(models.Model):
)
motivation = models.TextField(
verbose_name=_("Candidate.motivation.verbose_name"),
- help_text=_("Candidate.motivation.help_text"),
)
cv = models.FileField(
verbose_name=_("Candidate.cv.verbose_name"),
diff --git a/src/strass/strass_app/templates/strass_app/setup.html b/src/strass/strass_app/templates/strass_app/setup.html
index 2d90d0f4ca1aff4bb25702d8aed021e2eb7bd86c..f22eae2b9626c06b1d32882abf94b6cfb02e8883 100644
--- a/src/strass/strass_app/templates/strass_app/setup.html
+++ b/src/strass/strass_app/templates/strass_app/setup.html
@@ -283,7 +283,7 @@
{% include "strass_app/setup_card_setting_form.html" with key='show_email_as_message-contact_us-email_prefix' title=title id="mail-settings" %}
{% trans "Application configuration" as title %}
-{% include "strass_app/setup_card_setting_form.html" with key='app_name-show_documentation_link-day_or_time_in_abscissa-google_tracker_id-plausible_data_domain' title=title id="misc-settings" %}
+{% include "strass_app/setup_card_setting_form.html" with key='app_name-show_documentation_link-markdown_enabled-day_or_time_in_abscissa-google_tracker_id-plausible_data_domain' title=title id="misc-settings" %}
<div class="col-12 col-md-6 col-lg-4 col-xl mb-4">
diff --git a/src/strass/strass_app/templatetags/strass_tags.py b/src/strass/strass_app/templatetags/strass_tags.py
index 9918d180f0fc9036ffde8198c735badc9bf668b0..c504e015faa90b6412ffdcd8dc28ca5eaf18adf3 100644
--- a/src/strass/strass_app/templatetags/strass_tags.py
+++ b/src/strass/strass_app/templatetags/strass_tags.py
@@ -199,6 +199,8 @@ __MARKDOWN_WHITE_LIST = [
@register.filter
def markdown(value):
+ if not live_settings.markdown_enabled__bool:
+ return value
value = cleanup_line_starts(value)
value = escape(value)
for tag, escaped_tag in __MARKDOWN_WHITE_LIST:
diff --git a/src/strass/strass_app/utils.py b/src/strass/strass_app/utils.py
index e0dfdde81bd8c80a318d924bb36722aa6474f5ab..d732c61e6a260ef0b0e828b191995d8498793030 100644
--- a/src/strass/strass_app/utils.py
+++ b/src/strass/strass_app/utils.py
@@ -293,3 +293,8 @@ def safe_pdf(my_stream: IO[Any]):
writer.write(myio)
myio.seek(0)
return myio
+
+def use_markdown_or_plain_text_message()->str:
+ if live_settings.markdown_enabled__bool:
+ return _('You can use markdown here.')
+ return _('Write in plain text here.')
\ No newline at end of file