Skip to content

Removed '| safe' usages in templates. #751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Removed '| safe' usages in templates. #751

wants to merge 1 commit into from

Conversation

Eric-Butcher
Copy link
Contributor

@Eric-Butcher Eric-Butcher commented Aug 7, 2025
edited
Loading

This remediates at least one (and possibly more) minor XSS exploits caused by usage of | safe template markings when used inside of script tags. This has been remediated by placing all template-injected JavaScript data into json_script template tags and then loading that JSON data inside of scripts using JSON.parse().

As part of this pull request, markup was removed from AllocationCreateView that caused the value of quantity_label to be marked as <strong></strong> .

This also introduces a new ruff linter check for "S308" checking improper usage of safe HTML injection into templates: https://docs.astral.sh/ruff/rules/suspicious-mark-safe-usage/.

Pull request #734 needs to be merged in first. These pull requests address similair issues. This PR will not pass ruff unless #734 is merged.

@Eric-Butcher Eric-Butcher force-pushed the bugfix/script-template-safe branch from 0ec49a2 to 2433844 Compare August 7, 2025 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Eric-Butcher