update xss filter

conf/tests.py

@@ -66,10 +66,11 @@ class WebsiteConfigAPITest(APITestCase):
         self.create_super_admin()
         url = self.reverse("website_config_api")
         data = {"website_base_url": "http://test.com", "website_name": "test name",
-                "website_name_shortcut": "test oj", "website_footer": "<a>test</a>",
+                "website_name_shortcut": "test oj", "website_footer": "<img onerror=alert(1) src=#>",
                 "allow_register": True, "submission_list_show_all": False}
         resp = self.client.post(url, data=data)
         self.assertSuccess(resp)
+        self.assertEqual(SysOptions.website_footer, "<img src=\"#\" />")
 
     def test_get_website_config(self):
         # do not need to login

conf/views.py

@@ -13,6 +13,7 @@ from judge.languages import languages, spj_languages
 from options.options import SysOptions
 from utils.api import APIView, CSRFExemptAPIView, validate_serializer
 from utils.shortcuts import send_email
+from utils.xss_filter import XSSHtml
 from .models import JudgeServer
 from .serializers import (CreateEditWebsiteConfigSerializer,
                           CreateSMTPConfigSerializer, EditSMTPConfigSerializer,
@@ -84,6 +85,9 @@ class WebsiteConfigAPI(APIView):
     @super_admin_required
     def post(self, request):
         for k, v in request.data.items():
+            if k == "website_footer":
+                with XSSHtml() as parser:
+                    v = parser.clean(v)
             setattr(SysOptions, k, v)
         return self.success()