[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/templates/objects/pathway.html
+++ b/templates/objects/pathway.html
@ -98,7 +98,7 @@
        <div class="panel-group" id="pwAccordion">
            <div class="panel panel-default">
                <div class="panel-heading" id="headingPanel" style="font-size:2rem;height: 46px">
-                    {{ pathway.name }}
+                    {{ pathway.name|safe }}
                </div>
            </div>
            <div class="panel panel-default panel-heading list-group-item" style="background-color:silver">
@ -236,7 +236,7 @@
                <div id="pathway-scenario" class="panel-collapse collapse in">
                    <div class="panel-body list-group-item">
                        {% for s in pathway.scenarios.all %}
-                            <a class="list-group-item" href="{{ s.url }}">{{ s.name }} <i>({{ s.package.name }})</i></a>
+                            <a class="list-group-item" href="{{ s.url }}">{{ s.name|safe }} <i>({{ s.package.name|safe }})</i></a>
                        {% endfor %}
                    </div>
                </div>
@ -266,7 +266,7 @@
                                                <td colspan="2">
                                                    <li class="list-group-item">
                                                        <a href="{{ pathway.setting.model.url }}">
-                                                            {{ pathway.setting.model.name }}
+                                                            {{ pathway.setting.model.name|safe }}
                                                        </a>
                                                    </li>
                                                </td>
@ -299,7 +299,7 @@
                                                    {% for p in pathway.setting.rule_packages.all %}
                                                        <li class="list-group-item">
                                                            <a href="{{ p.url }}">
-                                                                {{ p.name }}
+                                                                {{ p.name|safe }}
                                                            </a>
                                                        </li>
                                                    {% endfor %}