[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/templates/collections/joblog.html
+++ b/templates/collections/joblog.html
@ -1,6 +1,5 @@
 {% extends "framework.html" %}
 {% load static %}
-{% load envipytags %}
 {% block content %}

    <div class="panel-group" id="reviewListAccordion">
--- a/templates/collections/objects_list.html
+++ b/templates/collections/objects_list.html
@ -192,7 +192,7 @@
            <div class="panel-body list-group-item" id="ReviewedContent">
                {% if object_type == 'package' %}
                {% for obj in reviewed_objects %}
-                <a class="list-group-item" href="{{ obj.url }}">{{ obj.name }}
+                <a class="list-group-item" href="{{ obj.url }}">{{ obj.name|safe }}
                    <span class="glyphicon glyphicon-star" aria-hidden="true"
                          style="float:right" data-toggle="tooltip"
                          data-placement="top" title="" data-original-title="Reviewed">
@ -201,7 +201,7 @@
                {% endfor %}
                {% else %}
                {% for obj in reviewed_objects|slice:":50" %}
-                <a class="list-group-item" href="{{ obj.url }}">{{ obj.name }}{# <i>({{ obj.package.name }})</i> #}
+                <a class="list-group-item" href="{{ obj.url }}">{{ obj.name|safe }}{# <i>({{ obj.package.name }})</i> #}
                    <span class="glyphicon glyphicon-star" aria-hidden="true"
                          style="float:right" data-toggle="tooltip"
                          data-placement="top" title="" data-original-title="Reviewed">
@ -221,11 +221,11 @@
            <div class="panel-body list-group-item" id="UnreviewedContent">
                {% if object_type == 'package' %}
                {% for obj in unreviewed_objects %}
-                <a class="list-group-item" href="{{ obj.url }}">{{ obj.name }}</a>
+                <a class="list-group-item" href="{{ obj.url }}">{{ obj.name|safe }}</a>
                {% endfor %}
                {% else %}
                {% for obj in unreviewed_objects|slice:":50" %}
-                <a class="list-group-item" href="{{ obj.url }}">{{ obj.name }}</a>
+                <a class="list-group-item" href="{{ obj.url }}">{{ obj.name|safe }}</a>
                {% endfor %}
                {% endif %}
            </div>
@ -236,9 +236,9 @@
        <ul class='list-group'>
            {% for obj in objects %}
            {% if object_type == 'user' %}
-            <a class="list-group-item" href="{{ obj.url }}">{{ obj.username }}</a>
+            <a class="list-group-item" href="{{ obj.url }}">{{ obj.username|safe }}</a>
            {% else %}
-            <a class="list-group-item" href="{{ obj.url }}">{{ obj.name }}</a>
+            <a class="list-group-item" href="{{ obj.url }}">{{ obj.name|safe }}</a>
            {% endif %}
            {% endfor %}
        </ul>