Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit all calls to mark_safe() to ensure any user-provided data is escaped #16700

Closed
jeremystretch opened this issue Jun 24, 2024 · 0 comments · Fixed by #16703
Closed

Audit all calls to mark_safe() to ensure any user-provided data is escaped #16700

jeremystretch opened this issue Jun 24, 2024 · 0 comments · Fixed by #16703
Assignees
@jeremystretch
Labels
status: accepted This issue has been accepted for implementation type: housekeeping Changes to the application which do not directly impact the end user

Comments

@jeremystretch
Copy link
Member

Proposed Changes

There are many places we use Django's mark_safe() utility to bypass HTML escaping (typically within template tags and filters). Any user-sourced data within the string being marked as safe must be manually passed through escape().

Justification

Ensures consistent sanitization of user input.
@jeremystretch jeremystretch added status: accepted This issue has been accepted for implementation type: housekeeping Changes to the application which do not directly impact the end user labels Jun 24, 2024
@jeremystretch jeremystretch self-assigned this Jun 24, 2024
jeremystretch added a commit that referenced this issue Jun 24, 2024
@jeremystretch
Closes #16700: Audit usage of mark_safe() for consistent escaping
6886421
@jeremystretch jeremystretch mentioned this issue Jun 24, 2024
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jeremystretch jeremystretch

Labels
status: accepted This issue has been accepted for implementation type: housekeeping Changes to the application which do not directly impact the end user
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Closes #16700: Audit usage of mark_safe() for consistent escaping netbox-community/netbox
1 participant
@jeremystretch