[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes

- All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future.
- All names and descriptions now use the template tag `nh_safe` in all html files.
- Usernames and emails are a small exception and are not allowed any html tags

Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com>
Co-authored-by: jebus <lorsbach@envipath.com>
Co-authored-by: Tim Lorsbach <tim@lorsba.ch>
Reviewed-on: enviPath/enviPy#171
Reviewed-by: jebus <lorsbach@envipath.com>
Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz>
Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>

This commit is contained in:

liambrydon

2025-11-11 22:49:55 +13:00

committed by

jebus

parent 1cccefa991

commit 34589efbde

53 changed files with 444 additions and 230 deletions

									
										1

pyproject.toml
									
												View File
												
				@ -27,6 +27,7 @@ dependencies = [

				    "scikit-learn>=1.6.1",

				    "sentry-sdk[django]>=2.32.0",

				    "setuptools>=80.8.0",

				    "nh3==0.3.2",

				    "polars==1.35.1",

				]

[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

1 pyproject.toml Unescape Escape View File

1

pyproject.toml

View File