[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/templates/objects/model.html
+++ b/templates/objects/model.html
@ -1,6 +1,5 @@
 {% extends "framework.html" %}
 {% load static %}
-{% load envipytags %}
 {% block content %}

    {% block action_modals %}
@ -18,7 +17,7 @@
    <div class="panel-group" id="model-detail">
        <div class="panel panel-default">
            <div class="panel-heading" id="headingPanel" style="font-size:2rem;height: 46px">
-                {{ model.name }}
+                {{ model.name|safe }}
                <div id="actionsButton"
                     style="float: right;font-weight: normal;font-size: medium;position: relative; top: 50%; transform: translateY(-50%);z-index:100;display: none;"
                     class="dropdown"><a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button"
@ -33,7 +32,7 @@
                </div>
            </div>
            <div class="panel-body">
-                <p> {{ model.description }} </p>
+                <p> {{ model.description|safe }} </p>
            </div>
            {% if model|classname == 'MLRelativeReasoning' or model|classname == 'RuleBasedRelativeReasoning'%}
                <!-- Rule Packages -->
@ -46,7 +45,7 @@
                <div id="rule-package" class="panel-collapse collapse in">
                    <div class="panel-body list-group-item">
                        {% for p in model.rule_packages.all %}
-                            <a class="list-group-item" href="{{ p.url }}">{{ p.name }}</a>
+                            <a class="list-group-item" href="{{ p.url }}">{{ p.name|safe }}</a>
                        {% endfor %}
                    </div>
                </div>
@ -60,7 +59,7 @@
                <div id="reaction-package" class="panel-collapse collapse in">
                    <div class="panel-body list-group-item">
                        {% for p in model.data_packages.all %}
-                            <a class="list-group-item" href="{{ p.url }}">{{ p.name }}</a>
+                            <a class="list-group-item" href="{{ p.url }}">{{ p.name|safe }}</a>
                        {% endfor %}
                    </div>
                </div>
@ -75,7 +74,7 @@
                    <div id="eval-package" class="panel-collapse collapse in">
                        <div class="panel-body list-group-item">
                            {% for p in model.eval_packages.all %}
-                                <a class="list-group-item" href="{{ p.url }}">{{ p.name }}</a>
+                                <a class="list-group-item" href="{{ p.url }}">{{ p.name|safe }}</a>
                            {% endfor %}
                        </div>
                    </div>