mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-06 11:23:48 -05:00
b74fcf2570
WTForms versions less than 3.0.0 have a security vulnerability where arbitrary HTML can be inserted into the label of a form, allowing the possibility of a cross-site scripting attack. I don’t know if there’s anywhere we put user-generated content into form labels but it’s possible we are vulnerable somewhere. This require moving some imports because as of https://github.com/wtforms/wtforms/pull/614/files there is no longer a separate module for HTML 5 fields, they are now considered core fields. As of https://github.com/wtforms/wtforms/issues/445/files custom implementations of `pre_validate` or `post_validate` must raise `ValidationError` to trigger a validation message, where we were raising `ValueError` this was no longer being caught. As of https://github.com/wtforms/wtforms/pull/355/files `StringField` returns `None` for empty data, not `''` but our `validate_email_address` function only accepts strings.