Skip to content

Commit

Permalink
Protection agasint XSS when rendering notifications
Browse files Browse the repository at this point in the history
  • Loading branch information
humitos committed Jan 4, 2024
1 parent fc9f1ca commit 6e3ae2c
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion readthedocs/notifications/messages.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

import structlog

from django.utils.html import escape
from django.utils.translation import gettext_noop as _

from readthedocs.doc_builder.exceptions import (
Expand Down Expand Up @@ -34,8 +35,18 @@ def __repr__(self):
def __str__(self):
return f"Message: {self.id} | {self.header}"

def _escape_format_values(self, format_values):
"""
Escape all potential HTML tags included in format values.
This is a protection against rendering potential values defined by the user.
It uses the Django's util function ``escape`` (similar to ``|escape`` template tag filter)
to convert HTML characters into regular characters.
"""
return {key: escape(value) for key, value in format_values.items()}

def set_format_values(self, format_values):
self.format_values = format_values or {}
self.format_values = self._escape_format_values(format_values)

def get_display_icon_classes(self):
if self.icon_classes:
Expand Down

0 comments on commit 6e3ae2c

Please sign in to comment.