[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/templates/objects/group.html
+++ b/templates/objects/group.html
@ -11,7 +11,7 @@
 <div class="panel-group" id="package-detail">
    <div class="panel panel-default">
        <div class="panel-heading" id="headingPanel" style="font-size:2rem;height: 46px">
-            {{ group.name }}
+            {{ group.name|safe }}
            <div id="actionsButton"
                 style="float: right;font-weight: normal;font-size: medium;position: relative; top: 50%; transform: translateY(-50%);z-index:100;display: none;"
                 class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button"
@ -26,7 +26,7 @@
            </div>
        </div>
        <div class="panel-body">
-            <p> {{ group.description }} </p>
+            <p> {{ group.description|safe }} </p>
        </div>
    </div>

@ -39,10 +39,10 @@
        </div>
        <ul class="list-group">
            {% for um in group.user_member.all %}
-            <a class="list-group-item" href="{{ um.url }}">{{ um.username }}</a>
+            <a class="list-group-item" href="{{ um.url }}">{{ um.username|safe }}</a>
            {% endfor %}
            {% for gm in group.group_member.all %}
-            <a class="list-group-item" href="{{ gm.url }}">{{ gm.name }}</a>
+            <a class="list-group-item" href="{{ gm.url }}">{{ gm.name|safe }}</a>
            {% endfor %}
        </ul>
    </div>
@ -56,7 +56,7 @@
        </div>
        <ul class="list-group">
            {% for p in packages %}
-            <a class="list-group-item" href="{{ p.url }}">{{ p.name }}</a>
+            <a class="list-group-item" href="{{ p.url }}">{{ p.name|safe }}</a>
            {% endfor %}
        </ul>
    </div>