mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-05-02 07:00:51 -04:00
5bbbdc3cd9
service contact blocks contain new lines - and jinja2 normally ignores
newlines (as in it keeps them as new lines) - but we need to turn them
into `<br>` tags so that we can show the formatting that the user has
added. We were previously just doing `{{ block | nl2br | safe }}`. nl2br
turns the new lines into `<br>` tags, and then `safe` tells jinja that
it doesn't need to escape the html.
this causes issues if the user adds `<script>alert(1)</script>` to their
contact block (or some other evil xss hack), where that will get let
through due to the safe flag
To solve this, use `Markup(html='escape')` to sanitise any html, and
then convert new lines to <br>.
bump utils
another xss
28 lines
773 B
Plaintext
28 lines
773 B
Plaintext
# Run `make freeze-requirements` to update requirements.txt
|
|
# with package version changes made in requirements-app.txt
|
|
|
|
ago==0.0.93
|
|
Flask==1.1.1
|
|
Flask-WTF==0.14.2
|
|
Flask-Login==0.4.1
|
|
|
|
blinker==1.4
|
|
pyexcel==0.5.15
|
|
pyexcel-io==0.5.20
|
|
pyexcel-xls==0.5.8
|
|
pyexcel-xlsx==0.5.8
|
|
pyexcel-ods3==0.5.3
|
|
pytz==2019.3
|
|
gunicorn==19.7.1 # pyup: ignore, >19.8 breaks eventlet patching
|
|
eventlet==0.25.1
|
|
notifications-python-client==5.5.0
|
|
|
|
# PaaS
|
|
awscli-cwlogs>=1.4,<1.5
|
|
|
|
# Putting upgrade on hold due to v1.0.0 using sha512 instead of sha1 by default
|
|
itsdangerous==0.24 # pyup: <1.0.0
|
|
|
|
git+https://github.com/alphagov/notifications-utils.git@36.4.1#egg=notifications-utils==36.4.1
|
|
git+https://github.com/alphagov/govuk-frontend-jinja.git@v0.5.1-alpha#egg=govuk-frontend-jinja==0.5.1-alpha
|