mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-07-17 13:09:49 -04:00
fix xss with service letter contact blocks
service contact blocks contain new lines - and jinja2 normally ignores
newlines (as in it keeps them as new lines) - but we need to turn them
into `<br>` tags so that we can show the formatting that the user has
added. We were previously just doing `{{ block | nl2br | safe }}`. nl2br
turns the new lines into `<br>` tags, and then `safe` tells jinja that
it doesn't need to escape the html.
this causes issues if the user adds `<script>alert(1)</script>` to their
contact block (or some other evil xss hack), where that will get let
through due to the safe flag
To solve this, use `Markup(html='escape')` to sanitise any html, and
then convert new lines to <br>.
bump utils
another xss
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
import re
|
||||
|
||||
from notifications_utils.field import Field
|
||||
from notifications_utils.formatters import formatted_list
|
||||
from notifications_utils.recipients import (
|
||||
InvalidEmailError,
|
||||
validate_email_address,
|
||||
@@ -9,7 +10,6 @@ from notifications_utils.sanitise_text import SanitiseSMS
|
||||
from wtforms import ValidationError
|
||||
from wtforms.validators import Email
|
||||
|
||||
from app import formatted_list
|
||||
from app.main._blacklisted_passwords import blacklisted_passwords
|
||||
from app.utils import Spreadsheet, is_gov_user
|
||||
|
||||
|
||||
Reference in New Issue
Block a user