From 654707e6b5f1a35c757fd45d274755726441e001 Mon Sep 17 00:00:00 2001 From: Liam Brydon <62733830+MyCreativityOutlet@users.noreply.github.com> Date: Fri, 7 Nov 2025 09:42:21 +1300 Subject: [PATCH] removed envipytags.py and moved name cleaning to before default name assignment --- epdb/models.py | 68 +++++++++++-------- epdb/templatetags/envipytags.py | 21 ------ epdb/views.py | 2 +- templates/collections/joblog.html | 1 - templates/collections/objects_list.html | 1 - templates/migration.html | 1 - templates/migration_detail.html | 1 - .../modals/collections/new_model_modal.html | 2 +- .../modals/collections/new_pathway_modal.html | 2 +- .../new_prediction_setting_modal.html | 2 +- .../objects/add_pathway_edge_modal.html | 2 +- .../objects/delete_pathway_edge_modal.html | 2 +- .../objects/delete_pathway_node_modal.html | 2 +- .../modals/objects/edit_compound_modal.html | 2 +- .../edit_compound_structure_modal.html | 2 +- .../objects/edit_group_member_modal.html | 2 +- .../modals/objects/edit_model_modal.html | 2 +- templates/modals/objects/edit_node_modal.html | 2 +- .../modals/objects/edit_package_modal.html | 2 +- .../edit_package_permissions_modal.html | 2 +- .../modals/objects/edit_pathway_modal.html | 2 +- .../edit_prediction_setting_modal.html | 1 - .../modals/objects/edit_reaction_modal.html | 2 +- templates/modals/objects/edit_rule_modal.html | 2 +- templates/modals/objects/edit_user_modal.html | 2 +- .../modals/objects/evaluate_model_modal.html | 2 +- .../objects/generic_copy_object_modal.html | 2 +- .../objects/generic_set_aliases_modal.html | 2 +- .../generic_set_external_reference_modal.html | 2 +- .../objects/generic_set_scenario_modal.html | 2 +- .../objects/manage_api_token_modal.html | 2 +- templates/modals/predict_modal.html | 1 - templates/objects/composite_rule.html | 1 - templates/objects/compound.html | 1 - templates/objects/compound_structure.html | 1 - templates/objects/edge.html | 1 - templates/objects/group.html | 1 - templates/objects/model.html | 1 - templates/objects/node.html | 1 - templates/objects/package.html | 1 - templates/objects/pathway.html | 1 - templates/objects/reaction.html | 1 - templates/objects/scenario.html | 1 - templates/objects/simple_rule.html | 1 - templates/objects/user.html | 1 - templates/pathway_playground2.html | 1 - templates/search.html | 1 - 47 files changed, 63 insertions(+), 95 deletions(-) delete mode 100644 epdb/templatetags/envipytags.py diff --git a/epdb/models.py b/epdb/models.py index e3ab0476..d48b0476 100644 --- a/epdb/models.py +++ b/epdb/models.py @@ -804,10 +804,13 @@ class Compound(EnviPathModel, AliasMixin, ScenarioMixin, ChemicalIdentifierMixin c = Compound() c.package = package - if name is None or name.strip() == "": + if name is not None: + # Clean for potential XSS + name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + if name is None or name == "": name = f"Compound {Compound.objects.filter(package=package).count() + 1}" - # Clean for potential XSS - c.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + c.name = name + # We have a default here only set the value if it carries some payload if description is not None and description.strip() != "": c.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip() @@ -1187,12 +1190,13 @@ class SimpleAmbitRule(SimpleRule): r = SimpleAmbitRule() r.package = package - - if name is None or name.strip() == "": + if name is not None: + # Clean for potential XSS + name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + if name is None or name == "": name = f"Rule {Rule.objects.filter(package=package).count() + 1}" - # Clean for potential XSS - r.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + r.name = name if description is not None and description.strip() != "": r.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip() @@ -1715,12 +1719,13 @@ class Pathway(EnviPathModel, AliasMixin, ScenarioMixin): ): pw = Pathway() pw.package = package - - if name is None or name.strip() == "": + if name is not None: + # Clean for potential XSS + name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + if name is None or name == "": name = f"Pathway {Pathway.objects.filter(package=package).count() + 1}" - # Clean for potential XSS - pw.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + pw.name = name if description is not None and description.strip() != "": pw.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip() @@ -2019,9 +2024,10 @@ class Edge(EnviPathModel, AliasMixin, ScenarioMixin): # Clean for potential XSS # Cleaning technically not needed as it is also done in Reaction.create, including it here for consistency - if name is None: + if name is not None: + name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + if name is None or name == "": name = f"Reaction {pathway.package.reactions.count() + 1}" - name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() if description is None: description = s.DEFAULT_VALUES["description"] @@ -2545,12 +2551,13 @@ class RuleBasedRelativeReasoning(PackageBasedModel): ): rbrr = RuleBasedRelativeReasoning() rbrr.package = package - - if name is None or name.strip() == "": + if name is not None: + # Clean for potential XSS + name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + if name is None or name == "": name = f"RuleBasedRelativeReasoning {RuleBasedRelativeReasoning.objects.filter(package=package).count() + 1}" - # Clean for potential XSS - rbrr.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + rbrr.name = name if description is not None and description.strip() != "": rbrr.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip() @@ -2649,12 +2656,13 @@ class MLRelativeReasoning(PackageBasedModel): ): mlrr = MLRelativeReasoning() mlrr.package = package - - if name is None or name.strip() == "": + if name is not None: + # Clean for potential XSS + name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + if name is None or name == "": name = f"MLRelativeReasoning {MLRelativeReasoning.objects.filter(package=package).count() + 1}" - # Clean for potential XSS - mlrr.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + mlrr.name = name if description is not None and description.strip() != "": mlrr.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip() @@ -2964,12 +2972,13 @@ class EnviFormer(PackageBasedModel): ): mod = EnviFormer() mod.package = package - - if name is None or name.strip() == "": + if name is not None: + # Clean for potential XSS + name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + if name is None or name == "": name = f"EnviFormer {EnviFormer.objects.filter(package=package).count() + 1}" - # Clean for potential XSS - mod.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + mod.name = name if description is not None and description.strip() != "": mod.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip() @@ -3375,11 +3384,12 @@ class Scenario(EnviPathModel): ): new_s = Scenario() new_s.package = package - - if name is None or name.strip() == "": + if name is not None: + # Clean for potential XSS + name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + if name is None or name == "": name = f"Scenario {Scenario.objects.filter(package=package).count() + 1}" - - new_s.name = nh3.clean(name, tags=s.ALLOWED_HTML_TAGS).strip() + new_s.name = name if description is not None and description.strip() != "": new_s.description = nh3.clean(description, tags=s.ALLOWED_HTML_TAGS).strip() diff --git a/epdb/templatetags/envipytags.py b/epdb/templatetags/envipytags.py deleted file mode 100644 index 6c250e63..00000000 --- a/epdb/templatetags/envipytags.py +++ /dev/null @@ -1,21 +0,0 @@ -from django import template -from pydantic import AnyHttpUrl, ValidationError -from pydantic.type_adapter import TypeAdapter - -register = template.Library() - -url_adapter = TypeAdapter(AnyHttpUrl) - - -@register.filter -def classname(obj): - return obj.__class__.__name__ - - -@register.filter -def is_url(value): - try: - url_adapter.validate_python(value) - return True - except ValidationError: - return False diff --git a/epdb/views.py b/epdb/views.py index 4a3a131a..9c8f9761 100644 --- a/epdb/views.py +++ b/epdb/views.py @@ -87,7 +87,7 @@ def login(request): from django.contrib.auth import login username = request.POST.get("username").strip() - if username != request.POST.get("username").strip(): + if username != request.POST.get("username"): context["message"] = "Login failed!" return render(request, "static/login.html", context) password = request.POST.get("password") diff --git a/templates/collections/joblog.html b/templates/collections/joblog.html index 7075e08e..07e15e71 100644 --- a/templates/collections/joblog.html +++ b/templates/collections/joblog.html @@ -1,6 +1,5 @@ {% extends "framework.html" %} {% load static %} -{% load envipytags %} {% block content %}
diff --git a/templates/collections/objects_list.html b/templates/collections/objects_list.html index 3852ef7e..34519ab4 100644 --- a/templates/collections/objects_list.html +++ b/templates/collections/objects_list.html @@ -1,6 +1,5 @@ {% extends "framework.html" %} {% load static %} -{% load envipytags %} {% block content %} {% if object_type != 'package' %} diff --git a/templates/migration.html b/templates/migration.html index 0be6b95f..ea8da317 100644 --- a/templates/migration.html +++ b/templates/migration.html @@ -1,5 +1,4 @@ {% extends "framework.html" %} -{% load envipytags %} {% block content %}
diff --git a/templates/migration_detail.html b/templates/migration_detail.html index 87cc1373..240ffea8 100644 --- a/templates/migration_detail.html +++ b/templates/migration_detail.html @@ -1,5 +1,4 @@ {% extends "framework.html" %} -{% load envipytags %} {% block content %}
diff --git a/templates/modals/collections/new_model_modal.html b/templates/modals/collections/new_model_modal.html index 52fd1b95..faea4c17 100644 --- a/templates/modals/collections/new_model_modal.html +++ b/templates/modals/collections/new_model_modal.html @@ -1,4 +1,4 @@ -{% load envipytags %} +