forked from enviPath/enviPy
start towards #72. Added nh3 and fixed package description XSS attack
This commit is contained in:
Liam Brydon
@ -10,6 +10,7 @@ from django.urls import reverse
|
||||
from django.views.decorators.csrf import csrf_exempt
|
||||
from envipy_additional_information import NAME_MAPPING
|
||||
from oauth2_provider.decorators import protected_resource
|
||||
import nh3
|
||||
|
||||
from utilities.chem import FormatConverter, IndigoUtils
|
||||
from utilities.decorators import package_permission_required
|
||||
@ -390,9 +391,9 @@ def packages(request):
|
||||
return HttpResponseBadRequest()
|
||||
else:
|
||||
package_name = request.POST.get("package-name")
|
||||
package_description = request.POST.get(
|
||||
package_description = nh3.clean(request.POST.get(
|
||||
"package-description", s.DEFAULT_VALUES["description"]
|
||||
)
|
||||
), tags=s.ALLOWED_HTML_TAGS)
|
||||
|
||||
created_package = PackageManager.create_package(
|
||||
current_user, package_name, package_description
|
||||
@ -1019,7 +1020,7 @@ def package(request, package_uuid):
|
||||
return HttpResponseBadRequest()
|
||||
|
||||
new_package_name = request.POST.get("package-name")
|
||||
new_package_description = request.POST.get("package-description")
|
||||
new_package_description = nh3.clean(request.POST.get("package-description"), tags=s.ALLOWED_HTML_TAGS)
|
||||
|
||||
grantee_url = request.POST.get("grantee")
|
||||
read = request.POST.get("read") == "on"
|
||||
|
||||
Reference in New Issue
Block a user