[Fix] Mitigate XSS attack vector by cleaning input before it hits our Database (#171)

## Changes - All text input fields are now cleaned with nh3 to remove html tags. We allow certain html tags under `settings.py/ALLOWED_HTML_TAGS` so we can easily update the tags we allow in the future. - All names and descriptions now use the template tag `nh_safe` in all html files. - Usernames and emails are a small exception and are not allowed any html tags Co-authored-by: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Co-authored-by: jebus <lorsbach@envipath.com> Co-authored-by: Tim Lorsbach <tim@lorsba.ch> Reviewed-on: enviPath/enviPy#171 Reviewed-by: jebus <lorsbach@envipath.com> Co-authored-by: liambrydon <lbry121@aucklanduni.ac.nz> Co-committed-by: liambrydon <lbry121@aucklanduni.ac.nz>
2025-11-11 22:49:55 +13:00
parent 1cccefa991
commit 34589efbde
53 changed files with 444 additions and 230 deletions
--- a/templates/objects/user.html
+++ b/templates/objects/user.html
@ -41,7 +41,7 @@
    <div id="default-package" class="panel-collapse collapse in">
        <div class="panel-body list-group-item">
            <li class="list-group-item">
-                <a href="{{ user.default_package.url }}"> {{ user.default_package.name }}</a>
+                <a href="{{ user.default_package.url }}"> {{ user.default_package.name|safe }}</a>
            </li>
        </div>
    </div>
@ -58,7 +58,7 @@
        <div class="panel-body list-group-item">
            {% for g in meta.available_groups %}
            <li class="list-group-item">
-                <a href="{{ g.url }}"> {{ g.name }}</a>
+                <a href="{{ g.url }}"> {{ g.name|safe }}</a>
            </li>
            {% endfor %}
        </div>
@ -90,7 +90,7 @@
                                <td colspan="2">
                                    <li class="list-group-item">
                                        <a href="{{user.default_setting.model.url}}">
-                                            {{ user.default_setting.model.name }}
+                                            {{ user.default_setting.model.name|safe }}
                                        </a>
                                    </li>
                                </td>
@ -123,7 +123,7 @@
                                    {% for p in user.default_setting.rule_packages.all %}
                                    <li class="list-group-item">
                                        <a href="{{p.url}}">
-                                            {{ p.name }}
+                                            {{ p.name|safe }}
                                        </a>
                                    </li>
                                    {% endfor %}