(allura) 03/08: [#8536] move/improve |safe usage
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 2869dfdf58eefdf3c564e56953bc7cacd6192e89
Author: Dave Brondsema
AuthorDate: Fri Feb 9 16:12:37 2024 -0500
[#8536] move/improve |safe usage
---
Allura/allura/app.py | 7 ---
Allura/allura/ext/admin/templates/project_groups.html | 2 +-
Allura/allura/lib/diff.py | 3 ++-
Allura/allura/templates/jinja_master/sidebar_menu.html| 2 +-
Allura/allura/templates/repo/barediff.html| 2 +-
Allura/allura/templates/repo/diff.html| 2 +-
Allura/allura/templates_responsive/jinja_master/sidebar_menu.html | 2 +-
ForgeTracker/forgetracker/tracker_main.py | 6 --
ForgeWiki/forgewiki/wiki_main.py | 5 +++--
9 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 1beddf562..23f18d1b3 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -24,6 +24,7 @@ from xml.etree import ElementTree as ET
from copy import copy
import pkg_resources
+from markupsafe import Markup
from tg import expose, redirect, flash, validate
from tg.decorators import without_trailing_slash
from tg import config as tg_config
@@ -619,13 +620,13 @@ class Application(ActivityObject):
"""
return []
-def sidebar_menu_js(self):
+def sidebar_menu_js(self) -> Markup:
"""Return Javascript needed by the sidebar menu of this Application.
-:return: a string of Javascript code
+:return: Markup string of Javascript code
"""
-return ""
+return Markup("")
@LazyProperty
def _webhooks(self):
diff --git a/Allura/allura/ext/admin/templates/project_groups.html
b/Allura/allura/ext/admin/templates/project_groups.html
index bb5571010..ed941dd9d 100644
--- a/Allura/allura/ext/admin/templates/project_groups.html
+++ b/Allura/allura/ext/admin/templates/project_groups.html
@@ -76,7 +76,7 @@
{% for r in role.users_with_role() %}
{{ g.icons['perm_delete'].render(
-title=('%s (%s)' % (r.user.display_name | escape,
r.user.username | escape)) | safe,
+title=('%s (%s)'|safe) % (r.user.display_name,
r.user.username),
show_title=True,
extra_css='deleter',
**{'data-user': r.user.username}) }}
diff --git a/Allura/allura/lib/diff.py b/Allura/allura/lib/diff.py
index 000ecce01..ee9087253 100644
--- a/Allura/allura/lib/diff.py
+++ b/Allura/allura/lib/diff.py
@@ -24,6 +24,7 @@ from collections.abc import Iterable, Generator
import sxsdiff
from diff_match_patch import diff_match_patch
import six
+from markupsafe import Markup
from sxsdiff.calculator import LineChange, ElementsHolder, PlainElement,
AdditionElement, DeletionElement
log = logging.getLogger(__name__)
@@ -67,7 +68,7 @@ class SxsOutputGenerator(sxsdiff.BaseGenerator):
def run(self, diff_result: Iterable[LineChange | None]):
self.out = ''
super().run(diff_result)
-return self.out
+return Markup(self.out) # "safe" because we use html.escape in a few
key places below
def visit_row(self, line_change: LineChange | None):
if line_change is None:
diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html
b/Allura/allura/templates/jinja_master/sidebar_menu.html
index 6097e7132..d9db22f24 100644
--- a/Allura/allura/templates/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates/jinja_master/sidebar_menu.html
@@ -95,7 +95,7 @@
{% endif %}
{% if c.app and c.app.sidebar_menu_js() %}
-{{c.app.sidebar_menu_js()|safe}}
+{{c.app.sidebar_menu_js()}}
{% endif %}
diff --git a/Allura/allura/templates/repo/barediff.html
b/Allura/allura/templates/repo/barediff.html
index babccfa61..84085149f 100644
--- a/Allura/allura/templates/repo/barediff.html
+++ b/Allura/allura/templates/repo/barediff.html
@@ -25,7 +25,7 @@
title="{{h.text.truncate(b.commit._id, 10)}}"/>
{% else %}
{% if session.diformat == 'sidebyside' %}
-{{diff|safe}}
+{{diff}}
{% else %}
{{g.highlight(diff, lexer='diff')}}
{% endif%}
diff --git a/Allura/allura/templates/repo/diff.html
b/Allura/allura/templates/repo/diff.html
index df74c6c66..fdbec5663 100644
--- a/Allura/allura/templates/repo/diff.html
+++ b/Allura/allura/templates/repo/diff.html
@@ -63,7 +63,7 @@
Switch to {{ switch_text }}
view
{% if session.diformat == 'sidebyside' %}
- {{diff|safe}}
+ {{diff}}
{% else %}
{{g.highlight(diff, lexer='diff')}}
{% endif %}
diff --git a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
(allura) 01/08: [#8536] use Markup's own interpolation
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 8fb39f641df098feef390709997234bc77e0bc57
Author: Dave Brondsema
AuthorDate: Fri Feb 9 11:23:44 2024 -0500
[#8536] use Markup's own interpolation
---
Allura/allura/lib/app_globals.py | 15 +
Allura/allura/lib/search.py | 2 +-
Allura/allura/lib/utils.py| 10 -
Allura/allura/lib/widgets/forms.py| 27 ++-
Allura/allura/tasks/mail_tasks.py | 2 +-
Allura/allura/tests/test_globals.py | 1 +
ForgeActivity/forgeactivity/templates/macros.html | 2 +-
ForgeTracker/forgetracker/model/ticket.py | 2 +-
ForgeTracker/forgetracker/widgets/ticket_form.py | 2 +-
9 files changed, 28 insertions(+), 35 deletions(-)
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index eadabd9bd..9cc3d86bb 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -99,17 +99,14 @@ class ForgeMarkdown:
# if text is too big, markdown can take a long time to process it,
# so we return it as a plain text
log.info('Text is too big. Skipping markdown processing')
-escaped = html.escape(h.really_unicode(source))
-return Markup('%s' % escaped)
+return Markup('{}').format(h.really_unicode(source))
try:
return
self.make_markdown_instance(**self.forge_ext_kwargs).convert(source)
except Exception:
log.info('Invalid markdown: %s Upwards trace is %s', source,
''.join(traceback.format_stack()), exc_info=True)
-escaped = h.really_unicode(source)
-escaped = html.escape(escaped)
return Markup("""ERROR! The markdown supplied
could not be parsed correctly.
-Did you forget to surround a code snippet with
""?%s""" % escaped)
+Did you forget to surround a code snippet with
""?%s""") % h.really_unicode(source)
@LazyProperty
def uncacheable_macro_regex(self):
@@ -471,10 +468,8 @@ class Globals:
lexer = pygments.lexers.get_lexer_by_name(lexer,
encoding='chardet')
if lexer is None or len(text) >=
asint(config.get('scm.view.max_syntax_highlight_bytes', 50)):
-# no highlighting, but we should escape, encode, and wrap it in
-# a
-text = html.escape(text)
-return Markup('' + text + '')
+# no highlighting, but we should wrap it in a safely
+return Markup('{}').format(text)
else:
return Markup(pygments.highlight(text, lexer, formatter))
@@ -686,7 +681,7 @@ class Icon:
if tag == 'a':
attrs['href'] = '#'
attrs.update(kw)
-attrs = ew._Jinja2Widget().j2_attrs(attrs)
+attrs = ew._Jinja2Widget().j2_attrs(attrs) # this escapes them
visible_title = ''
if show_title:
visible_title = f' {Markup.escape(title)}'
diff --git a/Allura/allura/lib/search.py b/Allura/allura/lib/search.py
index 27a29f738..388384798 100644
--- a/Allura/allura/lib/search.py
+++ b/Allura/allura/lib/search.py
@@ -409,4 +409,4 @@ def mapped_artifacts_from_index_ids(index_ids, model,
objectid_id=True):
map = {}
for m in models:
map[str(m._id)] = m
-return map
\ No newline at end of file
+return map
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 683a7fcae..0cf6b8c3c 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -211,10 +211,10 @@ def chunked_iter(iterable, max_size):
class AntiSpam:
'''Helper class for bot-protecting forms'''
-honey_field_template = string.Template('''
-You seem to have CSS turned off.
+honey_field_template = '''
+You seem to have CSS turned off.
Please don't fill out this field.
-''')
+'''
def __init__(self, request=None, num_honey=2, timestamp=None,
spinner=None):
self.num_honey = num_honey
@@ -307,10 +307,10 @@ class AntiSpam:
for fldno in range(self.num_honey):
fld_name = self.enc('honey%d' % (fldno))
fld_id = self.enc('honey%d%d' % (self.counter, fldno))
-yield Markup(self.honey_field_template.substitute(
+yield Markup(self.honey_field_template).format(
honey_class=self.honey_class,
fld_id=fld_id,
-fld_name=fld_name))
+fld_name=fld_name)
self.counter += 1
def make_spinner(self, timestamp=None):
diff --git a/Allura/allura/lib/widgets/forms.py
b/Allura/allura/lib/widgets/forms.py
index 5252819e1..134cd6f40 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widget
(allura) 08/08: [#8536] use h.clean_html and |safe_html
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 38e48ad3ca147af48f7a409bb664d6278a8b40fe
Author: Dave Brondsema
AuthorDate: Mon Feb 12 12:20:06 2024 -0500
[#8536] use h.clean_html and |safe_html
---
Allura/allura/config/app_cfg.py | 1 +
Allura/allura/ext/admin/templates/project_trove.html| 2 +-
Allura/allura/lib/helpers.py| 9 -
Allura/allura/templates/jinja_master/master.html| 4 ++--
Allura/allura/templates/neighborhood_project_list.html | 2 +-
Allura/allura/templates_responsive/jinja_master/master.html | 4 ++--
Allura/allura/tests/test_helpers.py | 5 +
7 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/Allura/allura/config/app_cfg.py b/Allura/allura/config/app_cfg.py
index 33e5148c4..e0a5cfb4c 100644
--- a/Allura/allura/config/app_cfg.py
+++ b/Allura/allura/config/app_cfg.py
@@ -143,6 +143,7 @@ class AlluraJinjaRenderer(JinjaRenderer):
jinja2_env.filters['filter'] = lambda s, t=None: list(filter(t and
jinja2_env.tests[t], s))
jinja2_env.filters['nl2br'] = helpers.nl2br_jinja_filter
jinja2_env.filters['subrender'] = helpers.subrender_jinja_filter
+jinja2_env.filters['safe_html'] = helpers.clean_html
jinja2_env.globals.update({
'hasattr': hasattr,
'h': helpers,
diff --git a/Allura/allura/ext/admin/templates/project_trove.html
b/Allura/allura/ext/admin/templates/project_trove.html
index 0d1a9da78..1fbff6e95 100644
--- a/Allura/allura/ext/admin/templates/project_trove.html
+++ b/Allura/allura/ext/admin/templates/project_trove.html
@@ -27,7 +27,7 @@
{% set help_text = config.get('trovecategories.admin.help.'+base.shortname,
'') %}
{% if help_text %}
- {{ help_text|safe }}
+ {{ help_text|safe_html }}
{% endif %}
diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index 26dd2d94f..f0675e443 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -809,7 +809,7 @@ def subrender_jinja_filter(context, html_tmpl: str) ->
Markup:
log.exception(f'Could not replace {var} in jinja "subrender" for
site notification')
continue
html_tmpl = html_tmpl.replace(var, val)
-return Markup(html_tmpl)
+return clean_html(html_tmpl)
def nl2br_jinja_filter(value):
@@ -1378,3 +1378,10 @@ def pluralize_tool_name(tool_name: string, count: int):
def parse_fediverse_address(username: str):
pieces = username.split('@')
return f'https://{pieces[-1]}/@{pieces[1]}'
+
+
+def clean_html(value: str) -> Markup:
+from allura.lib.markdown_extensions import HTMLSanitizer
+return Markup(
+HTMLSanitizer().run(value)
+)
diff --git a/Allura/allura/templates/jinja_master/master.html
b/Allura/allura/templates/jinja_master/master.html
index 6d0d829c1..19cb43ca1 100644
--- a/Allura/allura/templates/jinja_master/master.html
+++ b/Allura/allura/templates/jinja_master/master.html
@@ -56,11 +56,11 @@
{% if c.project and c.project.neighborhood.css %}
-{{c.project.neighborhood.get_custom_css()|safe}}
+{{ c.project.neighborhood.get_custom_css()|safe_html }}
{% elif neighborhood|default and neighborhood.css %}
-{{neighborhood.get_custom_css()}}
+{{ neighborhood.get_custom_css()|safe_html }}
{% endif %}
{% block extra_css %}{% endblock %}
diff --git a/Allura/allura/templates/neighborhood_project_list.html
b/Allura/allura/templates/neighborhood_project_list.html
index 91fecd345..53e33b3e1 100644
--- a/Allura/allura/templates/neighborhood_project_list.html
+++ b/Allura/allura/templates/neighborhood_project_list.html
@@ -45,7 +45,7 @@
{{ text }}
{% endif %}
{% if neighborhood.homepage %}
- {{neighborhood.homepage|safe}}
+ {{neighborhood.homepage|safe_html}}
{% endif %}
{% if neighborhood.allow_browse %}
{% if not projects %}
diff --git a/Allura/allura/templates_responsive/jinja_master/master.html
b/Allura/allura/templates_responsive/jinja_master/master.html
index 3786e2b88..5d28d00dc 100644
--- a/Allura/allura/templates_responsive/jinja_master/master.html
+++ b/Allura/allura/templates_responsive/jinja_master/master.html
@@ -58,11 +58,11 @@
{% if c.project and c.project.neighborhood.css %}
-{{c.project.neighborhood.get_custom_css()|safe}}
+{{ c.project.neighborhood.get_custom_css()|safe_html }}
{% elif neighborhood|default and neighborhood.css %}
-{{neighborhood.get_custom_css()}}
+{{ neighborhood.get_custom_css()|safe_html }}
{% endif %}
{% block extra_css %}{% endblock %}
diff --git a/Allura/allura/
(allura) 06/08: [#8536] more move/improve |safe
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit ccd6e86694438b05239256ba3b815ca144fafdca
Author: Dave Brondsema
AuthorDate: Mon Feb 12 18:16:21 2024 -0500
[#8536] more move/improve |safe
---
Allura/allura/lib/widgets/search.py | 5 +++--
Allura/allura/templates/user_prefs.html | 2 +-
Allura/allura/templates/widgets/lightbox.html | 2 +-
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/Allura/allura/lib/widgets/search.py
b/Allura/allura/lib/widgets/search.py
index 2bef28700..cec39ad44 100644
--- a/Allura/allura/lib/widgets/search.py
+++ b/Allura/allura/lib/widgets/search.py
@@ -18,6 +18,7 @@
import ew as ew_core
import ew.jinja2_ew as ew
import jinja2
+from markupsafe import Markup
from allura.lib.widgets import form_fields as ffw
@@ -53,8 +54,8 @@ class SearchHelp(ffw.Lightbox):
# can't use g.jinja2_env since this widget gets imported too early :(
jinja2_env = jinja2.Environment(
loader=jinja2.PackageLoader('allura', 'templates/widgets'))
-self.content = jinja2_env.get_template('search_help.html').render(dict(
+self.content =
Markup(jinja2_env.get_template('search_help.html').render(dict(
comments=comments,
history=history,
fields=fields,
-))
+)))
diff --git a/Allura/allura/templates/user_prefs.html
b/Allura/allura/templates/user_prefs.html
index 6610ad19f..62d95352d 100644
--- a/Allura/allura/templates/user_prefs.html
+++ b/Allura/allura/templates/user_prefs.html
@@ -85,7 +85,7 @@
- {{c.enter_password.display(content='Enter password')}}
+ {{c.enter_password.display(content='Enter password'|safe)}}
{% endif %} {# allow_edit_prefs #}
diff --git a/Allura/allura/templates/widgets/lightbox.html
b/Allura/allura/templates/widgets/lightbox.html
index 82972260f..624a49f2d 100644
--- a/Allura/allura/templates/widgets/lightbox.html
+++ b/Allura/allura/templates/widgets/lightbox.html
@@ -21,6 +21,6 @@
{% if content_template %}
{% include content_template with context %}
{% else %}
-{{content|safe}}
+{{content}}
{% endif %}
(allura) 02/08: [#8536] remove old unused oembed templates
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 77ae6f4ac8d9a3f31e6404c9d3a764f32da8ddda
Author: Dave Brondsema
AuthorDate: Fri Feb 9 16:10:46 2024 -0500
[#8536] remove old unused oembed templates
---
Allura/allura/templates/oembed/__init__.py | 16 -
Allura/allura/templates/oembed/generic.html | 23 ---
Allura/allura/templates/oembed/html_tpl.html | 25
Allura/allura/templates/oembed/link.html | 26 -
Allura/allura/templates/oembed/link_opera.html | 27 --
Allura/allura/templates/oembed/link_twitter.html | 29
Allura/allura/templates/oembed/photo.html| 25
7 files changed, 171 deletions(-)
diff --git a/Allura/allura/templates/oembed/__init__.py
b/Allura/allura/templates/oembed/__init__.py
deleted file mode 100644
index 144e29886..0
--- a/Allura/allura/templates/oembed/__init__.py
+++ /dev/null
@@ -1,16 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
diff --git a/Allura/allura/templates/oembed/generic.html
b/Allura/allura/templates/oembed/generic.html
deleted file mode 100644
index 40a9f0fe2..0
--- a/Allura/allura/templates/oembed/generic.html
+++ /dev/null
@@ -1,23 +0,0 @@
-{#-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--#}
-
-
-{{href}} (cannot be embedded)
-
-
diff --git a/Allura/allura/templates/oembed/html_tpl.html
b/Allura/allura/templates/oembed/html_tpl.html
deleted file mode 100644
index 0b063a2c0..0
--- a/Allura/allura/templates/oembed/html_tpl.html
+++ /dev/null
@@ -1,25 +0,0 @@
-{#-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--#}
-http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-
-
-{{data.html|safe}}
-
-
diff --git a/Allura/allura/templates/oembed/link.html
b/Allura/allura/templates/oembed/link.html
deleted file mode 100644
index f3517a821..0
--- a/Allura/allura/templates/oembed/link.html
+++ /dev/null
@@ -1,26 +0,0 @@
-{#-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use thi
(allura) 04/08: [#8536] remove unnecessary |safe usages
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 8f1efe7987fb0d889336c2e4080d8f488376e5a3
Author: Dave Brondsema
AuthorDate: Fri Feb 9 16:13:42 2024 -0500
[#8536] remove unnecessary |safe usages
---
Allura/allura/controllers/search.py | 2 +-
Allura/allura/lib/app_globals.py | 4 ++--
Allura/allura/templates/oauth_applications.html | 4 ++--
Allura/allura/templates/oauth_authorize.html | 2 +-
Allura/allura/templates/project_list.html| 4
Allura/allura/templates/repo/merge_request.html | 2 +-
Allura/allura/templates/widgets/include.html | 2 +-
Allura/allura/templates/widgets/post_widget.html | 4 ++--
.../templates/blog_widgets/preview_post.html | 2 +-
.../forgeblog/templates/blog_widgets/view_post.html | 2 +-
ForgeChat/forgechat/templates/chat/day.html | 2 +-
.../templates/discussion_widgets/forum_header.html | 2 +-
.../templates/discussionforums/admin_forums.html | 2 +-
.../forgetracker/templates/tracker/ticket.html | 2 +-
.../templates/tracker_widgets/ticket_form.html | 20 ++--
ForgeWiki/forgewiki/templates/wiki/browse.html | 2 +-
16 files changed, 27 insertions(+), 31 deletions(-)
diff --git a/Allura/allura/controllers/search.py
b/Allura/allura/controllers/search.py
index f0db69f73..31c5f1e48 100644
--- a/Allura/allura/controllers/search.py
+++ b/Allura/allura/controllers/search.py
@@ -130,4 +130,4 @@ class ProjectBrowseController(BaseController):
projects, count = self._find_projects()
title = self._build_title()
c.custom_sidebar_menu = self._build_nav()
-return dict(projects=projects, title=title, text=None)
+return dict(projects=projects, title=title)
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index 9cc3d86bb..0bdf8be08 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -94,7 +94,7 @@ class ForgeMarkdown:
'markdown_checklist.extension'],
output_format='html')
-def convert(self, source, render_limit=True):
+def convert(self, source, render_limit=True) -> Markup:
if render_limit and len(source) >
asint(config.get('markdown_render_max_length', 8)):
# if text is too big, markdown can take a long time to process it,
# so we return it as a plain text
@@ -113,7 +113,7 @@ class ForgeMarkdown:
regex_names = '|'.join(uncacheable_macros_names())
return re.compile(rf"\[\[\s*({regex_names})\b")
-def cached_convert(self, artifact: MappedClass, field_name: str) -> str:
+def cached_convert(self, artifact: MappedClass, field_name: str) -> Markup:
"""
Convert ``artifact.field_name`` markdown source to html, caching
the result if the render time is greater than the defined threshold.
diff --git a/Allura/allura/templates/oauth_applications.html
b/Allura/allura/templates/oauth_applications.html
index 9114f3d3e..c788e7722 100644
--- a/Allura/allura/templates/oauth_applications.html
+++ b/Allura/allura/templates/oauth_applications.html
@@ -83,7 +83,7 @@
Name:{{access_token.consumer_token.name}}
-
Description:{{access_token.consumer_token.description_html |
safe}}
+
Description:{{access_token.consumer_token.description_html }}
{% if access_token.is_bearer %}
@@ -117,7 +117,7 @@
{% for consumer_token in consumer_tokens %}
Name:{{consumer_token.name}}
-Description:{{consumer_token.description_html
| safe}}
+Description:{{consumer_token.description_html
}}
Consumer
Key:{{consumer_token.api_key}}
Consumer
Secret:{{consumer_token.secret_key}}
diff --git a/Allura/allura/templates/oauth_authorize.html
b/Allura/allura/templates/oauth_authorize.html
index cd8f9655e..d3afc8b3d 100644
--- a/Allura/allura/templates/oauth_authorize.html
+++ b/Allura/allura/templates/oauth_authorize.html
@@ -51,7 +51,7 @@
App Name: {{consumer.name}}
-Description:
{{consumer.description_html|safe}}
+Description: {{consumer.description_html}}
diff --git a/Allura/allura/templates/project_list.html
b/Allura/allura/templates/project_list.html
index 6232a2411..9d68850ae 100644
--- a/Allura/allura/templates/project_list.html
+++ b/Allura/allura/templates/project_list.html
@@ -51,10 +51,6 @@
{% block content %}
{% set old_project = c.project %}
- {% if text %}
-{{text|safe}}
- {% endif %}
-
{% if not projects %}
No projects found
{% else %}
diff --git a/Allura/allura/templates/repo/merge_request.html
b/Allura/allura/template
(allura) 07/08: [#8536] don't use jinja for site notifications; add autoescape
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 997a58206dcd37dfe8d46776fbb76fbb0f9a6e4a
Author: Dave Brondsema
AuthorDate: Thu Feb 15 12:05:00 2024 -0500
[#8536] don't use jinja for site notifications; add autoescape
---
Allura/allura/lib/helpers.py | 24 ++
Allura/allura/lib/widgets/search.py| 1 +
Allura/allura/public/nf/js/allura-base.js | 2 +-
.../templates/jinja_master/theme_macros.html | 2 +-
.../jinja_master/theme_macros.html | 2 +-
Allura/allura/tests/test_helpers.py| 19 +
6 files changed, 43 insertions(+), 7 deletions(-)
diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index bc52a5638..26dd2d94f 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -790,10 +790,26 @@ def render_any_markup(name, txt, code_mode=False,
linenumbers_style=TABLE):
@pass_context
-def subrender_jinja_filter(context, value):
-_template = context.eval_ctx.environment.from_string(value)
-result = _template.render(**context)
-return result
+def subrender_jinja_filter(context, html_tmpl: str) -> Markup:
+# jinja templates can execute potentially dangerous things
+# _template = context.eval_ctx.environment.from_string(html_tmpl)
+# return _template.render(**context)
+
+# so instead, support just a few things
+
+limited_vars = {
+'{{ c.project.url() }}': lambda: c.project.url(),
+}
+for var, fn in limited_vars.items():
+if var not in html_tmpl:
+continue
+try:
+val = fn()
+except Exception:
+log.exception(f'Could not replace {var} in jinja "subrender" for
site notification')
+continue
+html_tmpl = html_tmpl.replace(var, val)
+return Markup(html_tmpl)
def nl2br_jinja_filter(value):
diff --git a/Allura/allura/lib/widgets/search.py
b/Allura/allura/lib/widgets/search.py
index cec39ad44..c772992d1 100644
--- a/Allura/allura/lib/widgets/search.py
+++ b/Allura/allura/lib/widgets/search.py
@@ -53,6 +53,7 @@ class SearchHelp(ffw.Lightbox):
super().__init__()
# can't use g.jinja2_env since this widget gets imported too early :(
jinja2_env = jinja2.Environment(
+autoescape=True,
loader=jinja2.PackageLoader('allura', 'templates/widgets'))
self.content =
Markup(jinja2_env.get_template('search_help.html').render(dict(
comments=comments,
diff --git a/Allura/allura/public/nf/js/allura-base.js
b/Allura/allura/public/nf/js/allura-base.js
index 779f4ebca..839408dee 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -209,7 +209,7 @@ $(function(){
});
$('#site-notification .btn-close').click(function(e) {
-var $note = $(this).parent();
+var $note = $(this).parents('section:first');
$note.hide();
var note_id = $note.attr('data-notification-id');
var cookie = $.cookie('site-notification');
diff --git a/Allura/allura/templates/jinja_master/theme_macros.html
b/Allura/allura/templates/jinja_master/theme_macros.html
index e06f5d7a2..c9ee789b3 100644
--- a/Allura/allura/templates/jinja_master/theme_macros.html
+++ b/Allura/allura/templates/jinja_master/theme_macros.html
@@ -178,7 +178,7 @@
http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros
{% if note %}
-{{ note.content|subrender|safe }}
+{{ note.content|subrender }}
Close
diff --git a/Allura/allura/templates_responsive/jinja_master/theme_macros.html
b/Allura/allura/templates_responsive/jinja_master/theme_macros.html
index 5c639115d..dd0e70ed1 100644
--- a/Allura/allura/templates_responsive/jinja_master/theme_macros.html
+++ b/Allura/allura/templates_responsive/jinja_master/theme_macros.html
@@ -195,7 +195,7 @@
http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros
{% if note %}
-{{note.content|safe}}
+{{ note.content|subrender }}
{# .btn-close instead of data-close, since allura-base.js
handles closing it, not Foundation #}
×
diff --git a/Allura/allura/tests/test_helpers.py
b/Allura/allura/tests/test_helpers.py
index 9a12062bd..bb7908c9b 100644
--- a/Allura/allura/tests/test_helpers.py
+++ b/Allura/allura/tests/test_helpers.py
@@ -24,6 +24,8 @@ import time
import PIL
from mock import Mock, patch
from tg import tmpl_context as c
+from tg import config
+
from alluratest.tools import module_not_available
from webob import Request
from webob.exc import HTTPUnauthorized
@@ -346,6 +348,23 @@ d
(allura) 05/08: [#8536] improve safety
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit dd6f57588365a2a6282efa863647c8620ea5c8e8
Author: Dave Brondsema
AuthorDate: Fri Feb 9 16:17:26 2024 -0500
[#8536] improve safety
---
Allura/allura/ext/personal_dashboard/templates/sections/projects.html | 4 ++--
Allura/allura/ext/user_profile/templates/sections/projects.html | 2 +-
Allura/allura/lib/widgets/forms.py| 3 ++-
Allura/allura/templates/jinja_master/master.html | 2 +-
Allura/allura/templates_responsive/jinja_master/master.html | 2 +-
5 files changed, 7 insertions(+), 6 deletions(-)
diff --git
a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
index ccbd270a3..b65f7971d 100644
--- a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
+++ b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
@@ -43,7 +43,7 @@
{%- endif -%}
{{ project.name }}
-{{ project.summary or ' '|safe }}
+{{ project.summary or (' '|safe) }}
Last Updated:
@@ -71,4 +71,4 @@
$(this).hide().closest('.section-body').find('li.hidden').show();
});
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/Allura/allura/ext/user_profile/templates/sections/projects.html
b/Allura/allura/ext/user_profile/templates/sections/projects.html
index e774111d6..3b306ec8d 100644
--- a/Allura/allura/ext/user_profile/templates/sections/projects.html
+++ b/Allura/allura/ext/user_profile/templates/sections/projects.html
@@ -43,7 +43,7 @@
{%- endif -%}
{{project.name}}
-{{project.summary or ' '|safe}}
+{{project.summary or (' '|safe)}}
Last Updated:
diff --git a/Allura/allura/lib/widgets/forms.py
b/Allura/allura/lib/widgets/forms.py
index 134cd6f40..65121ed5c 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -18,6 +18,7 @@
import logging
from html import escape as html_escape
+import html
from tg import app_globals as g, tmpl_context as c
from formencode import validators as fev
import formencode
@@ -616,7 +617,7 @@ class RemoveTroveCategoryForm(ForgeForm):
text=cat.fullname,
href="/categories/%s" % cat.trove_cat_id),
ew.HTMLField(
-text=cat.shortname,
+text=html.escape(cat.shortname),
attrs={'disabled': True, 'value': cat.shortname}),
ew.SubmitButton(
show_errors=False,
diff --git a/Allura/allura/templates/jinja_master/master.html
b/Allura/allura/templates/jinja_master/master.html
index 72c03bc2d..6d0d829c1 100644
--- a/Allura/allura/templates/jinja_master/master.html
+++ b/Allura/allura/templates/jinja_master/master.html
@@ -173,7 +173,7 @@
{{ theme_macros.custom_js() }}
{% if flash %}
-{{ flash | safe }}
+{{ flash | safe }}{# comes from
flash.static_template in root.py and escaped by tg.flash allow_html setting #}
{% endif %}
$(document).ready(function () {
diff --git a/Allura/allura/templates_responsive/jinja_master/master.html
b/Allura/allura/templates_responsive/jinja_master/master.html
index be687919c..3786e2b88 100644
--- a/Allura/allura/templates_responsive/jinja_master/master.html
+++ b/Allura/allura/templates_responsive/jinja_master/master.html
@@ -161,7 +161,7 @@
{% endif %}
{{ theme_macros.custom_js() }}
{% if flash %}
-