[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/templates/modals/objects/edit_user_modal.html
+++ b/templates/modals/objects/edit_user_modal.html
@ -1,3 +1,4 @@
+
 {% load static %}
 <!-- Edit User -->
 <div id="edit_user_modal" class="modal" tabindex="-1">
@ -18,7 +19,7 @@
                        <select id="default-package" name="default-package" class="form-control" data-width='100%'>
                            <option disabled>Select a Package</option>
                            {% for p in meta.writeable_packages %}
-                            <option value="{{ p.url }}" {% if p.id == meta.user.default_package.id %}selected{% endif %}>{{ p.name }}</option>
+                            <option value="{{ p.url }}" {% if p.id == meta.user.default_package.id %}selected{% endif %}>{{ p.name|safe }}</option>
                            {% endfor %}
                        </select>
                    </p>
@ -27,7 +28,7 @@
                        <select id="default-group" name="default-group" class="form-control" data-width='100%'>
                            <option disabled>Select a Group</option>
                            {% for g in meta.available_groups %}
-                            <option value="{{ g.url }}" {% if g.id == meta.user.default_group.id %}selected{% endif %}>{{ g.name }}</option>
+                            <option value="{{ g.url }}" {% if g.id == meta.user.default_group.id %}selected{% endif %}>{{ g.name|safe }}</option>
                            {% endfor %}
                        </select>
                    </p>
@ -36,7 +37,7 @@
                        <select id="default-prediction-setting" name="default-prediction-setting" class="form-control" data-width='100%'>
                            <option disabled>Select a Setting</option>
                            {% for s in meta.available_settings %}
-                            <option value="{{ s.url }}" {% if s.id == meta.user.default_setting.id %}selected{% endif %}>{{ s.name }}</option>
+                            <option value="{{ s.url }}" {% if s.id == meta.user.default_setting.id %}selected{% endif %}>{{ s.name|safe }}</option>
                            {% endfor %}
                        </select>
                    </p>