Use a form cleaner to ensure only allowed characters are entered for tags field.

2 files changed, 81 insertions, 4 deletions

diff --git a/pytask/taskapp/forms.py b/pytask/taskapp/forms.py
index 62b0d16..0963807 100644
--- a/pytask/taskapp/forms.py
+++ b/pytask/taskapp/forms.py
@@ -24,9 +24,15 @@ __authors__ = [
     ]
 
 
+import re
+
 from django import forms
-from pytask.taskapp.models import Task, WorkReport, TaskComment, TaskClaim, \
-                                  TextBook
+
+from pytask.taskapp.models import Task
+from pytask.taskapp.models import TaskClaim
+from pytask.taskapp.models import TaskComment
+from pytask.taskapp.models import WorkReport
+
 
 class CreateTaskForm(forms.ModelForm):
     class Meta:
@@ -55,6 +61,19 @@ class CreateTaskForm(forms.ModelForm):
 
         return data
 
+    def clean_tags_field(self):
+        """Clean the tags field to contain only allowed characters.
+        """
+        tags_field = self.cleaned_data.get('tags_field', '')
+
+        if tags_field and not re.match(r'[\w,\-&./\'\" ]+', tags_field):
+            raise forms.ValidationError("Contains unallowed characters. "
+              "Allowed characters are all alphabet, numbers, underscore(_), "
+              "period(.), forward slash(/), dash(-), ampersand(&), single "
+              "quote(') and space.")
+
+        return tags_field
+
 class EditTaskForm(forms.ModelForm):
     class Meta:
         model = Task
@@ -78,6 +97,19 @@ class EditTaskForm(forms.ModelForm):
         except Task.DoesNotExist:
             return data
 
+    def clean_tags_field(self):
+        """Clean the tags field to contain only allowed characters.
+        """
+        tags_field = self.cleaned_data.get('tags_field', '')
+
+        if tags_field and not re.match(r'[\w,\-&./\'\" ]+', tags_field):
+            raise forms.ValidationError("Contains unallowed characters. "
+              "Allowed characters are all alphabet, numbers, underscore(_), "
+              "period(.), forward slash(/), dash(-), ampersand(&), single "
+              "quote(') and space.")
+
+        return tags_field
+
 class TaskCommentForm(forms.ModelForm):
 
     class Meta:
@@ -118,18 +150,60 @@ class CreateTextbookForm(forms.ModelForm):
         model = Task
         fields = ['name', 'chapters', 'tags_field']
 
+    def clean_tags_field(self):
+        """Clean the tags field to contain only allowed characters.
+        """
+        tags_field = self.cleaned_data.get('tags_field', '')
+
+        if tags_field and not re.match(r'[\w,\-&./\'\" ]+', tags_field):
+            raise forms.ValidationError("Contains unallowed characters. "
+              "Allowed characters are all alphabet, numbers, underscore(_), "
+              "period(.), forward slash(/), dash(-), ampersand(&), single "
+              "quote(') and space.")
+
+        return tags_field
+
 class CreateChapterForm(forms.ModelForm):
 
     class Meta:
         model = Task
         fields = ['title', 'desc' , 'pynts', 'tags_field']
 
+    def clean_tags_field(self):
+        """Clean the tags field to contain only allowed characters.
+        """
+        tags_field = self.cleaned_data.get('tags_field', '')
+
+        if tags_field and not re.match(r'[\w,\-&./\'\" ]+', tags_field):
+            raise forms.ValidationError("Contains unallowed characters. "
+              "Allowed characters are all alphabet, numbers, underscore(_), "
+              "period(.), forward slash(/), dash(-), ampersand(&), single "
+              "quote(') and space.")
+
+        return tags_field
+
+
 class EditTextbookForm(forms.ModelForm):
 
     class Meta:
         model = Task
         fields = ['title', 'desc', 'pynts', 'tags_field']
 
+    def clean_tags_field(self):
+        """Clean the tags field to contain only allowed characters.
+        """
+
+        tags_field = self.cleaned_data.get('tags_field', '')
+
+        if tags_field and not re.match(r'^[\w,\-&./\'\" ]+$', tags_field):
+            raise forms.ValidationError("Contains unallowed characters. "
+              "Allowed characters are all alphabet, numbers, underscore(_), "
+              "period(.), forward slash(/), dash(-), ampersand(&), single "
+              "quote(') and space.")
+
+        return tags_field
+
+
 def AddTaskForm(task_choices, is_plain=False):
     """ if is_plain is true, it means the task has no subs/deps.
     so we also give a radio button to choose between subs and dependencies.
diff --git a/pytask/taskapp/models.py b/pytask/taskapp/models.py
index 5012e34..c9ec8be 100755
--- a/pytask/taskapp/models.py
+++ b/pytask/taskapp/models.py
@@ -66,8 +66,11 @@ class Task(models.Model):
                               choices=TASK_STATUS_CHOICES,
                               default="Unpublished")
 
-    tags_field = TagField(verbose_name=u"Tags", 
-                          help_text=u"Give tags separated by commas") 
+    tags_field = TagField(
+      verbose_name=u"Tags", help_text=u"Give tags separated by commas. "
+      "The allowed characters are all alphabet, numbers, underscore(_), "
+      "period(.), forward slash(/), dash(-), ampersand(&), single quote(') "
+      " and space.")
 
     pynts = models.PositiveSmallIntegerField(
       help_text=u"Number of Pynts a user gets on completing the task")