diff options
| author | Andrew Donnellan <ajd@linux.ibm.com> | 2019-07-01 15:28:03 +1000 |
|---|---|---|
| committer | Daniel Axtens <dja@axtens.net> | 2019-07-05 11:09:02 +1000 |
| commit | 133a6c90e9826376be0f12f2ae6c2d7b076bdba0 (patch) | |
| tree | db6e908a3740942ccfe858e4104e37bd41b63b1a /patchwork/templatetags | |
| parent | a790f0390eb4d41db1032d0d6c3d103dda86ccea (diff) | |
| download | patchwork-133a6c90e9826376be0f12f2ae6c2d7b076bdba0.tar patchwork-133a6c90e9826376be0f12f2ae6c2d7b076bdba0.tar.gz | |
templatetags: Do not mark output of msgid tag as safe
The msgid template tag exists to remove angle brackets from either side of
the Message-ID header.
It also marks its output as safe, meaning it does not get autoescaped by
Django templating.
Its output is not safe. A maliciously crafted email can include HTML tags
inside the Message-ID header, and as long as the angle brackets are not at
the start and end of the header, we will quite happily render them.
Rather than using mark_safe(), use escape() to explicitly escape the
Message-ID.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Diffstat (limited to 'patchwork/templatetags')
| -rw-r--r-- | patchwork/templatetags/patch.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/patchwork/templatetags/patch.py b/patchwork/templatetags/patch.py index ea5a71d..757f873 100644 --- a/patchwork/templatetags/patch.py +++ b/patchwork/templatetags/patch.py @@ -5,6 +5,7 @@ # SPDX-License-Identifier: GPL-2.0-or-later from django import template +from django.utils.html import escape from django.utils.safestring import mark_safe from django.template.defaultfilters import stringfilter @@ -64,4 +65,4 @@ def patch_checks(patch): @register.filter @stringfilter def msgid(value): - return mark_safe(value.strip('<>')) + return escape(value.strip('<>')) |