jebus/enviPy-bayer
1
0
Fork 0
forked from enviPath/enviPy
Code Issues Pull Requests Actions Releases Activity

[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

Browse Source 
## Changes

- All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future.
- All names and descriptions now use the template tag `nh_safe` in all html files.
- Usernames and emails are a small exception and are not allowed any html tags

Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com>
Co-authored-by: jebus <lorsbach@envipath.com>
Co-authored-by: Tim Lorsbach <tim@lorsba.ch>
Reviewed-on: enviPath/enviPy#171
Reviewed-by: jebus <lorsbach@envipath.com>
Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz>
Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
This commit is contained in:
liambrydon
2025-11-11 22:49:55 +13:00
committed by jebus
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
templates/modals/objects/edit_reaction_modal.html
View File

@ -1,3 +1,4 @@
{% load static %}
<!-- Edit Reaction -->
<div id="edit_reaction_modal" class="modal" tabindex="-1">
@ -14,12 +15,12 @@
{% csrf_token %}
<p>
<label for="reaction-name">Name</label>
<input id="reaction-name" class="form-control" name="reaction-name" value="{{ reaction.name }}">
<input id="reaction-name" class="form-control" name="reaction-name" value="{{ reaction.name|safe }}">
</p>
<p>
<label for="reaction-description">Description</label>
<input id="reaction-description" type="text" class="form-control"
value="{{ reaction.description }}" name="reaction-description">
value="{{ reaction.description|safe }}" name="reaction-description">
</p>
</form>
</div>