Google Git
Sign in
apache / allura / 0917b82b7f7ad91f74416547b858066afad2985d^! / .
commit0917b82b7f7ad91f74416547b858066afad2985d[log] [tgz]
authorDave Brondsema <dbrondsema@slashdotmedia.com>Fri Feb 09 16:17:26 2024 -0500
committerGuillermo Cruz <guillermo.cruz@slashdotmedia.com>Fri Feb 23 14:45:40 2024 -0700
tree9803e07f9643f5f781406d3c7386a543b05259d4
parentf0226ee0dc93f6f7ff54944b6cb5f40fbcf64267 [diff]
[#8536] improve safety

diff --git a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
index ccbd270..b65f797 100644
--- a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
+++ b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html

@@ -43,7 +43,7 @@
                 {%- endif -%}
                 <span class="project-info">
                 <a href="{{ project.url() }}">{{ project.name }}</a>
-                {{ project.summary or '&nbsp;'|safe }}
+                {{ project.summary or ('&nbsp;'|safe) }}
             </span>
                 <span class="project-last-updated">
                 Last Updated:
@@ -71,4 +71,4 @@
         $(this).hide().closest('.section-body').find('li.hidden').show();
     });
     </script>
-{% endblock %}
\ No newline at end of file
+{% endblock %}

diff --git a/Allura/allura/ext/user_profile/templates/sections/projects.html b/Allura/allura/ext/user_profile/templates/sections/projects.html
index e774111..3b306ec 100644
--- a/Allura/allura/ext/user_profile/templates/sections/projects.html
+++ b/Allura/allura/ext/user_profile/templates/sections/projects.html

@@ -43,7 +43,7 @@
             {%- endif -%}
             <span class="project-info">
                 <a href="{{project.url()}}">{{project.name}}</a>
-                {{project.summary or '&nbsp;'|safe}}
+                {{project.summary or ('&nbsp;'|safe)}}
             </span>
             <span class="project-last-updated">
                 Last Updated:

diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py
index 134cd6f..65121ed 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py

@@ -18,6 +18,7 @@
 import logging
 from html import escape as html_escape
 
+import html
 from tg import app_globals as g, tmpl_context as c
 from formencode import validators as fev
 import formencode
@@ -616,7 +617,7 @@
                         text=cat.fullname,
                         href="/categories/%s" % cat.trove_cat_id),
                     ew.HTMLField(
-                        text=cat.shortname,
+                        text=html.escape(cat.shortname),
                         attrs={'disabled': True, 'value': cat.shortname}),
                     ew.SubmitButton(
                         show_errors=False,

diff --git a/Allura/allura/templates/jinja_master/master.html b/Allura/allura/templates/jinja_master/master.html
index 72c03bc..6d0d829 100644
--- a/Allura/allura/templates/jinja_master/master.html
+++ b/Allura/allura/templates/jinja_master/master.html

@@ -173,7 +173,7 @@
 {{ theme_macros.custom_js() }}
 
 {% if flash %}
-    <script type="text/javascript">{{ flash | safe }}</script>
+    <script type="text/javascript">{{ flash | safe }}</script>{# comes from flash.static_template in root.py and escaped by tg.flash allow_html setting #}
 {% endif %}
 <script>
     $(document).ready(function () {

diff --git a/Allura/allura/templates_responsive/jinja_master/master.html b/Allura/allura/templates_responsive/jinja_master/master.html
index be68791..3786e2b 100644
--- a/Allura/allura/templates_responsive/jinja_master/master.html
+++ b/Allura/allura/templates_responsive/jinja_master/master.html

@@ -161,7 +161,7 @@
 {% endif %}
 {{ theme_macros.custom_js() }}
 {% if flash %}
-    <script type="text/javascript">{{ flash | safe }}</script>
+    <script type="text/javascript">{{ flash | safe }}</script>{# comes from flash.static_template in root.py and escaped by tg.flash allow_html setting #}
 {% endif %}
 </body>
 </html>