[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/templates/migration.html
+++ b/templates/migration.html
@ -26,12 +26,12 @@
            {% endif %}
            <h4 class="panel-title">
                <a id="{{ obj.id }}-link" data-toggle="collapse" data-parent="#migration-detail"
-                   href="#{{ obj.id }}">{{ obj.name }}</a>
+                   href="#{{ obj.id }}">{{ obj.name|safe }}</a>
            </h4>
        </div>
        <div id="{{ obj.id }}" class="panel-collapse collapse {% if not obj.status %}in{% endif %}">
            <div class="panel-body list-group-item">
-                <a class="list-group-item" href="{{ obj.detail_url }}">{{ obj.name }} Migration Detail Page</a>
+                <a class="list-group-item" href="{{ obj.detail_url }}">{{ obj.name|safe }} Migration Detail Page</a>
            </div>
        </div>
        {% endfor %}