Files
notifications-admin/app/templates/views
Leo Hemsted 5bbbdc3cd9 fix xss with service letter contact blocks
service contact blocks contain new lines - and jinja2 normally ignores
newlines (as in it keeps them as new lines) - but we need to turn them
into `<br>` tags so that we can show the formatting that the user has
added. We were previously just doing `{{ block | nl2br | safe }}`. nl2br
turns the new lines into `<br>` tags, and then `safe` tells jinja that
it doesn't need to escape the html.

this causes issues if the user adds `<script>alert(1)</script>` to their
contact block (or some other evil xss hack), where that will get let
through due to the safe flag

To solve this, use `Markup(html='escape')` to sanitise any html, and
then convert new lines to <br>.

bump utils

another xss
2020-01-21 17:34:49 +00:00
..
2020-01-20 10:04:18 +00:00
2019-10-31 17:53:44 +00:00
2019-10-31 17:53:44 +00:00
2019-10-31 17:53:44 +00:00
2019-10-16 10:23:39 +01:00
2020-01-20 10:03:19 +00:00
2020-01-07 15:32:12 +00:00
2019-11-18 17:09:34 +00:00
2020-01-08 09:50:50 +00:00
2019-10-31 17:53:44 +00:00
2019-10-29 16:29:33 +00:00