[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/templates/modals/collections/new_model_modal.html
+++ b/templates/modals/collections/new_model_modal.html
@ -1,3 +1,4 @@
+
 <div class="modal fade" tabindex="-1" id="new_model_modal" role="dialog" aria-labelledby="new_model_modal"
     aria-hidden="true">
    <div class="modal-dialog modal-lg">
@ -47,14 +48,14 @@
                            <option disabled>Reviewed Packages</option>
                            {% for obj in meta.readable_packages %}
                                {% if obj.reviewed %}
-                                    <option value="{{ obj.url }}">{{ obj.name }}</option>
+                                    <option value="{{ obj.url }}">{{ obj.name|safe }}</option>
                                {% endif %}
                            {% endfor %}

                            <option disabled>Unreviewed Packages</option>
                            {% for obj in meta.readable_packages %}
                                {% if not obj.reviewed %}
-                                    <option value="{{ obj.url }}">{{ obj.name }}</option>
+                                    <option value="{{ obj.url }}">{{ obj.name|safe }}</option>
                                {% endif %}
                            {% endfor %}
                        </select>
@ -68,14 +69,14 @@
                            <option disabled>Reviewed Packages</option>
                            {% for obj in meta.readable_packages %}
                                {% if obj.reviewed %}
-                                    <option value="{{ obj.url }}">{{ obj.name }}</option>
+                                    <option value="{{ obj.url }}">{{ obj.name|safe }}</option>
                                {% endif %}
                            {% endfor %}

                            <option disabled>Unreviewed Packages</option>
                            {% for obj in meta.readable_packages %}
                                {% if not obj.reviewed %}
-                                    <option value="{{ obj.url }}">{{ obj.name }}</option>
+                                    <option value="{{ obj.url }}">{{ obj.name|safe }}</option>
                                {% endif %}
                            {% endfor %}
                        </select>