(allura) 03/08: [#8536] move/improve |safe usage

2024-02-15 Thread brondsem
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 2869dfdf58eefdf3c564e56953bc7cacd6192e89
Author: Dave Brondsema 
AuthorDate: Fri Feb 9 16:12:37 2024 -0500

[#8536] move/improve |safe usage
---
 Allura/allura/app.py  | 7 ---
 Allura/allura/ext/admin/templates/project_groups.html | 2 +-
 Allura/allura/lib/diff.py | 3 ++-
 Allura/allura/templates/jinja_master/sidebar_menu.html| 2 +-
 Allura/allura/templates/repo/barediff.html| 2 +-
 Allura/allura/templates/repo/diff.html| 2 +-
 Allura/allura/templates_responsive/jinja_master/sidebar_menu.html | 2 +-
 ForgeTracker/forgetracker/tracker_main.py | 6 --
 ForgeWiki/forgewiki/wiki_main.py  | 5 +++--
 9 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/Allura/allura/app.py b/Allura/allura/app.py
index 1beddf562..23f18d1b3 100644
--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -24,6 +24,7 @@ from xml.etree import ElementTree as ET
 from copy import copy
 
 import pkg_resources
+from markupsafe import Markup
 from tg import expose, redirect, flash, validate
 from tg.decorators import without_trailing_slash
 from tg import config as tg_config
@@ -619,13 +620,13 @@ class Application(ActivityObject):
 """
 return []
 
-def sidebar_menu_js(self):
+def sidebar_menu_js(self) -> Markup:
 """Return Javascript needed by the sidebar menu of this Application.
 
-:return: a string of Javascript code
+:return: Markup string of Javascript code
 
 """
-return ""
+return Markup("")
 
 @LazyProperty
 def _webhooks(self):
diff --git a/Allura/allura/ext/admin/templates/project_groups.html 
b/Allura/allura/ext/admin/templates/project_groups.html
index bb5571010..ed941dd9d 100644
--- a/Allura/allura/ext/admin/templates/project_groups.html
+++ b/Allura/allura/ext/admin/templates/project_groups.html
@@ -76,7 +76,7 @@
   {% for r in role.users_with_role() %}
   
 {{ g.icons['perm_delete'].render(
-title=('%s (%s)' % (r.user.display_name | escape, 
r.user.username | escape)) | safe,
+title=('%s (%s)'|safe) % (r.user.display_name, 
r.user.username),
 show_title=True,
 extra_css='deleter',
 **{'data-user': r.user.username}) }}
diff --git a/Allura/allura/lib/diff.py b/Allura/allura/lib/diff.py
index 000ecce01..ee9087253 100644
--- a/Allura/allura/lib/diff.py
+++ b/Allura/allura/lib/diff.py
@@ -24,6 +24,7 @@ from collections.abc import Iterable, Generator
 import sxsdiff
 from diff_match_patch import diff_match_patch
 import six
+from markupsafe import Markup
 from sxsdiff.calculator import LineChange, ElementsHolder, PlainElement, 
AdditionElement, DeletionElement
 
 log = logging.getLogger(__name__)
@@ -67,7 +68,7 @@ class SxsOutputGenerator(sxsdiff.BaseGenerator):
 def run(self, diff_result: Iterable[LineChange | None]):
 self.out = ''
 super().run(diff_result)
-return self.out
+return Markup(self.out)  # "safe" because we use html.escape in a few 
key places below
 
 def visit_row(self, line_change: LineChange | None):
 if line_change is None:
diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html 
b/Allura/allura/templates/jinja_master/sidebar_menu.html
index 6097e7132..d9db22f24 100644
--- a/Allura/allura/templates/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates/jinja_master/sidebar_menu.html
@@ -95,7 +95,7 @@
 {% endif %}
 {% if c.app and c.app.sidebar_menu_js() %}
   
-{{c.app.sidebar_menu_js()|safe}}
+{{c.app.sidebar_menu_js()}}
   
 {% endif %}
 
diff --git a/Allura/allura/templates/repo/barediff.html 
b/Allura/allura/templates/repo/barediff.html
index babccfa61..84085149f 100644
--- a/Allura/allura/templates/repo/barediff.html
+++ b/Allura/allura/templates/repo/barediff.html
@@ -25,7 +25,7 @@
title="{{h.text.truncate(b.commit._id, 10)}}"/>
 {% else %}
   {% if session.diformat == 'sidebyside' %}
-{{diff|safe}}
+{{diff}}
   {% else %}
 {{g.highlight(diff, lexer='diff')}}
   {% endif%}
diff --git a/Allura/allura/templates/repo/diff.html 
b/Allura/allura/templates/repo/diff.html
index df74c6c66..fdbec5663 100644
--- a/Allura/allura/templates/repo/diff.html
+++ b/Allura/allura/templates/repo/diff.html
@@ -63,7 +63,7 @@
 Switch to {{ switch_text }} 
view
   
 {% if session.diformat == 'sidebyside' %}
-  {{diff|safe}}
+  {{diff}}
 {% else %}
   {{g.highlight(diff, lexer='diff')}}
 {% endif %}
diff --git a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html

(allura) 01/08: [#8536] use Markup's own interpolation

2024-02-15 Thread brondsem
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 8fb39f641df098feef390709997234bc77e0bc57
Author: Dave Brondsema 
AuthorDate: Fri Feb 9 11:23:44 2024 -0500

[#8536] use Markup's own interpolation
---
 Allura/allura/lib/app_globals.py  | 15 +
 Allura/allura/lib/search.py   |  2 +-
 Allura/allura/lib/utils.py| 10 -
 Allura/allura/lib/widgets/forms.py| 27 ++-
 Allura/allura/tasks/mail_tasks.py |  2 +-
 Allura/allura/tests/test_globals.py   |  1 +
 ForgeActivity/forgeactivity/templates/macros.html |  2 +-
 ForgeTracker/forgetracker/model/ticket.py |  2 +-
 ForgeTracker/forgetracker/widgets/ticket_form.py  |  2 +-
 9 files changed, 28 insertions(+), 35 deletions(-)

diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index eadabd9bd..9cc3d86bb 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -99,17 +99,14 @@ class ForgeMarkdown:
 # if text is too big, markdown can take a long time to process it,
 # so we return it as a plain text
 log.info('Text is too big. Skipping markdown processing')
-escaped = html.escape(h.really_unicode(source))
-return Markup('%s' % escaped)
+return Markup('{}').format(h.really_unicode(source))
 try:
 return 
self.make_markdown_instance(**self.forge_ext_kwargs).convert(source)
 except Exception:
 log.info('Invalid markdown: %s  Upwards trace is %s', source,
  ''.join(traceback.format_stack()), exc_info=True)
-escaped = h.really_unicode(source)
-escaped = html.escape(escaped)
 return Markup("""ERROR! The markdown supplied 
could not be parsed correctly.
-Did you forget to surround a code snippet with 
""?%s""" % escaped)
+Did you forget to surround a code snippet with 
""?%s""") % h.really_unicode(source)
 
 @LazyProperty
 def uncacheable_macro_regex(self):
@@ -471,10 +468,8 @@ class Globals:
 lexer = pygments.lexers.get_lexer_by_name(lexer, 
encoding='chardet')
 
 if lexer is None or len(text) >= 
asint(config.get('scm.view.max_syntax_highlight_bytes', 50)):
-# no highlighting, but we should escape, encode, and wrap it in
-# a 
-text = html.escape(text)
-return Markup('' + text + '')
+# no highlighting, but we should wrap it in a  safely
+return Markup('{}').format(text)
 else:
 return Markup(pygments.highlight(text, lexer, formatter))
 
@@ -686,7 +681,7 @@ class Icon:
 if tag == 'a':
 attrs['href'] = '#'
 attrs.update(kw)
-attrs = ew._Jinja2Widget().j2_attrs(attrs)
+attrs = ew._Jinja2Widget().j2_attrs(attrs)  # this escapes them
 visible_title = ''
 if show_title:
 visible_title = f' {Markup.escape(title)}'
diff --git a/Allura/allura/lib/search.py b/Allura/allura/lib/search.py
index 27a29f738..388384798 100644
--- a/Allura/allura/lib/search.py
+++ b/Allura/allura/lib/search.py
@@ -409,4 +409,4 @@ def mapped_artifacts_from_index_ids(index_ids, model, 
objectid_id=True):
 map = {}
 for m in models:
 map[str(m._id)] = m
-return map
\ No newline at end of file
+return map
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 683a7fcae..0cf6b8c3c 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -211,10 +211,10 @@ def chunked_iter(iterable, max_size):
 class AntiSpam:
 
 '''Helper class for bot-protecting forms'''
-honey_field_template = string.Template('''
-You seem to have CSS turned off.
+honey_field_template = '''
+You seem to have CSS turned off.
 Please don't fill out this field.
-''')
+'''
 
 def __init__(self, request=None, num_honey=2, timestamp=None, 
spinner=None):
 self.num_honey = num_honey
@@ -307,10 +307,10 @@ class AntiSpam:
 for fldno in range(self.num_honey):
 fld_name = self.enc('honey%d' % (fldno))
 fld_id = self.enc('honey%d%d' % (self.counter, fldno))
-yield Markup(self.honey_field_template.substitute(
+yield Markup(self.honey_field_template).format(
 honey_class=self.honey_class,
 fld_id=fld_id,
-fld_name=fld_name))
+fld_name=fld_name)
 self.counter += 1
 
 def make_spinner(self, timestamp=None):
diff --git a/Allura/allura/lib/widgets/forms.py 
b/Allura/allura/lib/widgets/forms.py
index 5252819e1..134cd6f40 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widget

(allura) 08/08: [#8536] use h.clean_html and |safe_html

2024-02-15 Thread brondsem
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 38e48ad3ca147af48f7a409bb664d6278a8b40fe
Author: Dave Brondsema 
AuthorDate: Mon Feb 12 12:20:06 2024 -0500

[#8536] use h.clean_html and |safe_html
---
 Allura/allura/config/app_cfg.py | 1 +
 Allura/allura/ext/admin/templates/project_trove.html| 2 +-
 Allura/allura/lib/helpers.py| 9 -
 Allura/allura/templates/jinja_master/master.html| 4 ++--
 Allura/allura/templates/neighborhood_project_list.html  | 2 +-
 Allura/allura/templates_responsive/jinja_master/master.html | 4 ++--
 Allura/allura/tests/test_helpers.py | 5 +
 7 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/Allura/allura/config/app_cfg.py b/Allura/allura/config/app_cfg.py
index 33e5148c4..e0a5cfb4c 100644
--- a/Allura/allura/config/app_cfg.py
+++ b/Allura/allura/config/app_cfg.py
@@ -143,6 +143,7 @@ class AlluraJinjaRenderer(JinjaRenderer):
 jinja2_env.filters['filter'] = lambda s, t=None: list(filter(t and 
jinja2_env.tests[t], s))
 jinja2_env.filters['nl2br'] = helpers.nl2br_jinja_filter
 jinja2_env.filters['subrender'] = helpers.subrender_jinja_filter
+jinja2_env.filters['safe_html'] = helpers.clean_html
 jinja2_env.globals.update({
 'hasattr': hasattr,
 'h': helpers,
diff --git a/Allura/allura/ext/admin/templates/project_trove.html 
b/Allura/allura/ext/admin/templates/project_trove.html
index 0d1a9da78..1fbff6e95 100644
--- a/Allura/allura/ext/admin/templates/project_trove.html
+++ b/Allura/allura/ext/admin/templates/project_trove.html
@@ -27,7 +27,7 @@
   {% set help_text = config.get('trovecategories.admin.help.'+base.shortname, 
'') %}
   {% if help_text %}
 
-  {{ help_text|safe }}
+  {{ help_text|safe_html }}
   
 
   {% endif %}
diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index 26dd2d94f..f0675e443 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -809,7 +809,7 @@ def subrender_jinja_filter(context, html_tmpl: str) -> 
Markup:
 log.exception(f'Could not replace {var} in jinja "subrender" for 
site notification')
 continue
 html_tmpl = html_tmpl.replace(var, val)
-return Markup(html_tmpl)
+return clean_html(html_tmpl)
 
 
 def nl2br_jinja_filter(value):
@@ -1378,3 +1378,10 @@ def pluralize_tool_name(tool_name: string, count: int):
 def parse_fediverse_address(username: str):
 pieces = username.split('@')
 return f'https://{pieces[-1]}/@{pieces[1]}'
+
+
+def clean_html(value: str) -> Markup:
+from allura.lib.markdown_extensions import HTMLSanitizer
+return Markup(
+HTMLSanitizer().run(value)
+)
diff --git a/Allura/allura/templates/jinja_master/master.html 
b/Allura/allura/templates/jinja_master/master.html
index 6d0d829c1..19cb43ca1 100644
--- a/Allura/allura/templates/jinja_master/master.html
+++ b/Allura/allura/templates/jinja_master/master.html
@@ -56,11 +56,11 @@
 
 {% if c.project and c.project.neighborhood.css %}
 
-{{c.project.neighborhood.get_custom_css()|safe}}
+{{ c.project.neighborhood.get_custom_css()|safe_html }}
 
 {% elif neighborhood|default and neighborhood.css %}
 
-{{neighborhood.get_custom_css()}}
+{{ neighborhood.get_custom_css()|safe_html }}
 
 {% endif %}
 {% block extra_css %}{% endblock %}
diff --git a/Allura/allura/templates/neighborhood_project_list.html 
b/Allura/allura/templates/neighborhood_project_list.html
index 91fecd345..53e33b3e1 100644
--- a/Allura/allura/templates/neighborhood_project_list.html
+++ b/Allura/allura/templates/neighborhood_project_list.html
@@ -45,7 +45,7 @@
   {{ text }}
 {% endif %}
 {% if neighborhood.homepage %}
-  {{neighborhood.homepage|safe}}
+  {{neighborhood.homepage|safe_html}}
 {% endif %}
 {% if neighborhood.allow_browse %}
   {% if not projects %}
diff --git a/Allura/allura/templates_responsive/jinja_master/master.html 
b/Allura/allura/templates_responsive/jinja_master/master.html
index 3786e2b88..5d28d00dc 100644
--- a/Allura/allura/templates_responsive/jinja_master/master.html
+++ b/Allura/allura/templates_responsive/jinja_master/master.html
@@ -58,11 +58,11 @@
 
 {% if c.project and c.project.neighborhood.css %}
 
-{{c.project.neighborhood.get_custom_css()|safe}}
+{{ c.project.neighborhood.get_custom_css()|safe_html }}
 
 {% elif neighborhood|default and neighborhood.css %}
 
-{{neighborhood.get_custom_css()}}
+{{ neighborhood.get_custom_css()|safe_html }}
 
 {% endif %}
 {% block extra_css %}{% endblock %}
diff --git a/Allura/allura/

(allura) 06/08: [#8536] more move/improve |safe

2024-02-15 Thread brondsem
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit ccd6e86694438b05239256ba3b815ca144fafdca
Author: Dave Brondsema 
AuthorDate: Mon Feb 12 18:16:21 2024 -0500

[#8536] more move/improve |safe
---
 Allura/allura/lib/widgets/search.py   | 5 +++--
 Allura/allura/templates/user_prefs.html   | 2 +-
 Allura/allura/templates/widgets/lightbox.html | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/Allura/allura/lib/widgets/search.py 
b/Allura/allura/lib/widgets/search.py
index 2bef28700..cec39ad44 100644
--- a/Allura/allura/lib/widgets/search.py
+++ b/Allura/allura/lib/widgets/search.py
@@ -18,6 +18,7 @@
 import ew as ew_core
 import ew.jinja2_ew as ew
 import jinja2
+from markupsafe import Markup
 
 from allura.lib.widgets import form_fields as ffw
 
@@ -53,8 +54,8 @@ class SearchHelp(ffw.Lightbox):
 # can't use g.jinja2_env since this widget gets imported too early :(
 jinja2_env = jinja2.Environment(
 loader=jinja2.PackageLoader('allura', 'templates/widgets'))
-self.content = jinja2_env.get_template('search_help.html').render(dict(
+self.content = 
Markup(jinja2_env.get_template('search_help.html').render(dict(
 comments=comments,
 history=history,
 fields=fields,
-))
+)))
diff --git a/Allura/allura/templates/user_prefs.html 
b/Allura/allura/templates/user_prefs.html
index 6610ad19f..62d95352d 100644
--- a/Allura/allura/templates/user_prefs.html
+++ b/Allura/allura/templates/user_prefs.html
@@ -85,7 +85,7 @@
   
 
   
-  {{c.enter_password.display(content='Enter password')}}
+  {{c.enter_password.display(content='Enter password'|safe)}}
   
 
   {% endif %}  {# allow_edit_prefs #}
diff --git a/Allura/allura/templates/widgets/lightbox.html 
b/Allura/allura/templates/widgets/lightbox.html
index 82972260f..624a49f2d 100644
--- a/Allura/allura/templates/widgets/lightbox.html
+++ b/Allura/allura/templates/widgets/lightbox.html
@@ -21,6 +21,6 @@
   {% if content_template %}
 {% include content_template with context %}
   {% else %}
-{{content|safe}}
+{{content}}
   {% endif %}
 



(allura) 02/08: [#8536] remove old unused oembed templates

2024-02-15 Thread brondsem
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 77ae6f4ac8d9a3f31e6404c9d3a764f32da8ddda
Author: Dave Brondsema 
AuthorDate: Fri Feb 9 16:10:46 2024 -0500

[#8536] remove old unused oembed templates
---
 Allura/allura/templates/oembed/__init__.py   | 16 -
 Allura/allura/templates/oembed/generic.html  | 23 ---
 Allura/allura/templates/oembed/html_tpl.html | 25 
 Allura/allura/templates/oembed/link.html | 26 -
 Allura/allura/templates/oembed/link_opera.html   | 27 --
 Allura/allura/templates/oembed/link_twitter.html | 29 
 Allura/allura/templates/oembed/photo.html| 25 
 7 files changed, 171 deletions(-)

diff --git a/Allura/allura/templates/oembed/__init__.py 
b/Allura/allura/templates/oembed/__init__.py
deleted file mode 100644
index 144e29886..0
--- a/Allura/allura/templates/oembed/__init__.py
+++ /dev/null
@@ -1,16 +0,0 @@
-#   Licensed to the Apache Software Foundation (ASF) under one
-#   or more contributor license agreements.  See the NOTICE file
-#   distributed with this work for additional information
-#   regarding copyright ownership.  The ASF licenses this file
-#   to you under the Apache License, Version 2.0 (the
-#   "License"); you may not use this file except in compliance
-#   with the License.  You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-#   Unless required by applicable law or agreed to in writing,
-#   software distributed under the License is distributed on an
-#   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-#   KIND, either express or implied.  See the License for the
-#   specific language governing permissions and limitations
-#   under the License.
diff --git a/Allura/allura/templates/oembed/generic.html 
b/Allura/allura/templates/oembed/generic.html
deleted file mode 100644
index 40a9f0fe2..0
--- a/Allura/allura/templates/oembed/generic.html
+++ /dev/null
@@ -1,23 +0,0 @@
-{#-
-   Licensed to the Apache Software Foundation (ASF) under one
-   or more contributor license agreements.  See the NOTICE file
-   distributed with this work for additional information
-   regarding copyright ownership.  The ASF licenses this file
-   to you under the Apache License, Version 2.0 (the
-   "License"); you may not use this file except in compliance
-   with the License.  You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing,
-   software distributed under the License is distributed on an
-   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-   KIND, either express or implied.  See the License for the
-   specific language governing permissions and limitations
-   under the License.
--#}
-
-  
-{{href}} (cannot be embedded)
-  
-
diff --git a/Allura/allura/templates/oembed/html_tpl.html 
b/Allura/allura/templates/oembed/html_tpl.html
deleted file mode 100644
index 0b063a2c0..0
--- a/Allura/allura/templates/oembed/html_tpl.html
+++ /dev/null
@@ -1,25 +0,0 @@
-{#-
-   Licensed to the Apache Software Foundation (ASF) under one
-   or more contributor license agreements.  See the NOTICE file
-   distributed with this work for additional information
-   regarding copyright ownership.  The ASF licenses this file
-   to you under the Apache License, Version 2.0 (the
-   "License"); you may not use this file except in compliance
-   with the License.  You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing,
-   software distributed under the License is distributed on an
-   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-   KIND, either express or implied.  See the License for the
-   specific language governing permissions and limitations
-   under the License.
--#}
-http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-
-  
-{{data.html|safe}}
-  
-
diff --git a/Allura/allura/templates/oembed/link.html 
b/Allura/allura/templates/oembed/link.html
deleted file mode 100644
index f3517a821..0
--- a/Allura/allura/templates/oembed/link.html
+++ /dev/null
@@ -1,26 +0,0 @@
-{#-
-   Licensed to the Apache Software Foundation (ASF) under one
-   or more contributor license agreements.  See the NOTICE file
-   distributed with this work for additional information
-   regarding copyright ownership.  The ASF licenses this file
-   to you under the Apache License, Version 2.0 (the
-   "License"); you may not use thi

(allura) 04/08: [#8536] remove unnecessary |safe usages

2024-02-15 Thread brondsem
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 8f1efe7987fb0d889336c2e4080d8f488376e5a3
Author: Dave Brondsema 
AuthorDate: Fri Feb 9 16:13:42 2024 -0500

[#8536] remove unnecessary |safe usages
---
 Allura/allura/controllers/search.py  |  2 +-
 Allura/allura/lib/app_globals.py |  4 ++--
 Allura/allura/templates/oauth_applications.html  |  4 ++--
 Allura/allura/templates/oauth_authorize.html |  2 +-
 Allura/allura/templates/project_list.html|  4 
 Allura/allura/templates/repo/merge_request.html  |  2 +-
 Allura/allura/templates/widgets/include.html |  2 +-
 Allura/allura/templates/widgets/post_widget.html |  4 ++--
 .../templates/blog_widgets/preview_post.html |  2 +-
 .../forgeblog/templates/blog_widgets/view_post.html  |  2 +-
 ForgeChat/forgechat/templates/chat/day.html  |  2 +-
 .../templates/discussion_widgets/forum_header.html   |  2 +-
 .../templates/discussionforums/admin_forums.html |  2 +-
 .../forgetracker/templates/tracker/ticket.html   |  2 +-
 .../templates/tracker_widgets/ticket_form.html   | 20 ++--
 ForgeWiki/forgewiki/templates/wiki/browse.html   |  2 +-
 16 files changed, 27 insertions(+), 31 deletions(-)

diff --git a/Allura/allura/controllers/search.py 
b/Allura/allura/controllers/search.py
index f0db69f73..31c5f1e48 100644
--- a/Allura/allura/controllers/search.py
+++ b/Allura/allura/controllers/search.py
@@ -130,4 +130,4 @@ class ProjectBrowseController(BaseController):
 projects, count = self._find_projects()
 title = self._build_title()
 c.custom_sidebar_menu = self._build_nav()
-return dict(projects=projects, title=title, text=None)
+return dict(projects=projects, title=title)
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index 9cc3d86bb..0bdf8be08 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -94,7 +94,7 @@ class ForgeMarkdown:
 'markdown_checklist.extension'],
 output_format='html')
 
-def convert(self, source, render_limit=True):
+def convert(self, source, render_limit=True) -> Markup:
 if render_limit and len(source) > 
asint(config.get('markdown_render_max_length', 8)):
 # if text is too big, markdown can take a long time to process it,
 # so we return it as a plain text
@@ -113,7 +113,7 @@ class ForgeMarkdown:
 regex_names = '|'.join(uncacheable_macros_names())
 return re.compile(rf"\[\[\s*({regex_names})\b")
 
-def cached_convert(self, artifact: MappedClass, field_name: str) -> str:
+def cached_convert(self, artifact: MappedClass, field_name: str) -> Markup:
 """
 Convert ``artifact.field_name`` markdown source to html, caching
 the result if the render time is greater than the defined threshold.
diff --git a/Allura/allura/templates/oauth_applications.html 
b/Allura/allura/templates/oauth_applications.html
index 9114f3d3e..c788e7722 100644
--- a/Allura/allura/templates/oauth_applications.html
+++ b/Allura/allura/templates/oauth_applications.html
@@ -83,7 +83,7 @@
 Name:{{access_token.consumer_token.name}}
 
 
-
Description:{{access_token.consumer_token.description_html | 
safe}}
+
Description:{{access_token.consumer_token.description_html }}
 
 {% if access_token.is_bearer %}
 
@@ -117,7 +117,7 @@
 {% for consumer_token in consumer_tokens %}
 
 Name:{{consumer_token.name}}
-Description:{{consumer_token.description_html 
| safe}}
+Description:{{consumer_token.description_html 
}}
 Consumer 
Key:{{consumer_token.api_key}}
 Consumer 
Secret:{{consumer_token.secret_key}}
 
diff --git a/Allura/allura/templates/oauth_authorize.html 
b/Allura/allura/templates/oauth_authorize.html
index cd8f9655e..d3afc8b3d 100644
--- a/Allura/allura/templates/oauth_authorize.html
+++ b/Allura/allura/templates/oauth_authorize.html
@@ -51,7 +51,7 @@
 
 
 App Name: {{consumer.name}}
-Description:  
{{consumer.description_html|safe}}
+Description:  {{consumer.description_html}}
 
 
 
diff --git a/Allura/allura/templates/project_list.html 
b/Allura/allura/templates/project_list.html
index 6232a2411..9d68850ae 100644
--- a/Allura/allura/templates/project_list.html
+++ b/Allura/allura/templates/project_list.html
@@ -51,10 +51,6 @@
 {% block content %}
   {% set old_project = c.project %}
   
-  {% if text %}
-{{text|safe}}
-  {% endif %}
-  
   {% if not projects %}
 No projects found
   {% else %}
diff --git a/Allura/allura/templates/repo/merge_request.html 
b/Allura/allura/template

(allura) 07/08: [#8536] don't use jinja for site notifications; add autoescape

2024-02-15 Thread brondsem
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 997a58206dcd37dfe8d46776fbb76fbb0f9a6e4a
Author: Dave Brondsema 
AuthorDate: Thu Feb 15 12:05:00 2024 -0500

[#8536] don't use jinja for site notifications; add autoescape
---
 Allura/allura/lib/helpers.py   | 24 ++
 Allura/allura/lib/widgets/search.py|  1 +
 Allura/allura/public/nf/js/allura-base.js  |  2 +-
 .../templates/jinja_master/theme_macros.html   |  2 +-
 .../jinja_master/theme_macros.html |  2 +-
 Allura/allura/tests/test_helpers.py| 19 +
 6 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/Allura/allura/lib/helpers.py b/Allura/allura/lib/helpers.py
index bc52a5638..26dd2d94f 100644
--- a/Allura/allura/lib/helpers.py
+++ b/Allura/allura/lib/helpers.py
@@ -790,10 +790,26 @@ def render_any_markup(name, txt, code_mode=False, 
linenumbers_style=TABLE):
 
 
 @pass_context
-def subrender_jinja_filter(context, value):
-_template = context.eval_ctx.environment.from_string(value)
-result = _template.render(**context)
-return result
+def subrender_jinja_filter(context, html_tmpl: str) -> Markup:
+# jinja templates can execute potentially dangerous things
+#   _template = context.eval_ctx.environment.from_string(html_tmpl)
+#   return _template.render(**context)
+
+# so instead, support just a few things
+
+limited_vars = {
+'{{ c.project.url() }}': lambda: c.project.url(),
+}
+for var, fn in limited_vars.items():
+if var not in html_tmpl:
+continue
+try:
+val = fn()
+except Exception:
+log.exception(f'Could not replace {var} in jinja "subrender" for 
site notification')
+continue
+html_tmpl = html_tmpl.replace(var, val)
+return Markup(html_tmpl)
 
 
 def nl2br_jinja_filter(value):
diff --git a/Allura/allura/lib/widgets/search.py 
b/Allura/allura/lib/widgets/search.py
index cec39ad44..c772992d1 100644
--- a/Allura/allura/lib/widgets/search.py
+++ b/Allura/allura/lib/widgets/search.py
@@ -53,6 +53,7 @@ class SearchHelp(ffw.Lightbox):
 super().__init__()
 # can't use g.jinja2_env since this widget gets imported too early :(
 jinja2_env = jinja2.Environment(
+autoescape=True,
 loader=jinja2.PackageLoader('allura', 'templates/widgets'))
 self.content = 
Markup(jinja2_env.get_template('search_help.html').render(dict(
 comments=comments,
diff --git a/Allura/allura/public/nf/js/allura-base.js 
b/Allura/allura/public/nf/js/allura-base.js
index 779f4ebca..839408dee 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -209,7 +209,7 @@ $(function(){
 });
 
 $('#site-notification .btn-close').click(function(e) {
-var $note = $(this).parent();
+var $note = $(this).parents('section:first');
 $note.hide();
 var note_id = $note.attr('data-notification-id');
 var cookie = $.cookie('site-notification');
diff --git a/Allura/allura/templates/jinja_master/theme_macros.html 
b/Allura/allura/templates/jinja_master/theme_macros.html
index e06f5d7a2..c9ee789b3 100644
--- a/Allura/allura/templates/jinja_master/theme_macros.html
+++ b/Allura/allura/templates/jinja_master/theme_macros.html
@@ -178,7 +178,7 @@ 
http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros
 {% if note %}
 
 
-{{ note.content|subrender|safe }}
+{{ note.content|subrender }}
 Close
 
 
diff --git a/Allura/allura/templates_responsive/jinja_master/theme_macros.html 
b/Allura/allura/templates_responsive/jinja_master/theme_macros.html
index 5c639115d..dd0e70ed1 100644
--- a/Allura/allura/templates_responsive/jinja_master/theme_macros.html
+++ b/Allura/allura/templates_responsive/jinja_master/theme_macros.html
@@ -195,7 +195,7 @@ 
http://stackoverflow.com/questions/26582731/redefining-imported-jinja-macros
 {% if note %}
 
 
-{{note.content|safe}}
+{{ note.content|subrender }}
 
   {#  .btn-close instead of data-close, since allura-base.js 
handles closing it, not Foundation #}
   ×
diff --git a/Allura/allura/tests/test_helpers.py 
b/Allura/allura/tests/test_helpers.py
index 9a12062bd..bb7908c9b 100644
--- a/Allura/allura/tests/test_helpers.py
+++ b/Allura/allura/tests/test_helpers.py
@@ -24,6 +24,8 @@ import time
 import PIL
 from mock import Mock, patch
 from tg import tmpl_context as c
+from tg import config
+
 from alluratest.tools import module_not_available
 from webob import Request
 from webob.exc import HTTPUnauthorized
@@ -346,6 +348,23 @@ d

(allura) 05/08: [#8536] improve safety

2024-02-15 Thread brondsem
This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git

commit dd6f57588365a2a6282efa863647c8620ea5c8e8
Author: Dave Brondsema 
AuthorDate: Fri Feb 9 16:17:26 2024 -0500

[#8536] improve safety
---
 Allura/allura/ext/personal_dashboard/templates/sections/projects.html | 4 ++--
 Allura/allura/ext/user_profile/templates/sections/projects.html   | 2 +-
 Allura/allura/lib/widgets/forms.py| 3 ++-
 Allura/allura/templates/jinja_master/master.html  | 2 +-
 Allura/allura/templates_responsive/jinja_master/master.html   | 2 +-
 5 files changed, 7 insertions(+), 6 deletions(-)

diff --git 
a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html 
b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
index ccbd270a3..b65f7971d 100644
--- a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
+++ b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
@@ -43,7 +43,7 @@
 {%- endif -%}
 
 {{ project.name }}
-{{ project.summary or ' '|safe }}
+{{ project.summary or (' '|safe) }}
 
 
 Last Updated:
@@ -71,4 +71,4 @@
 $(this).hide().closest('.section-body').find('li.hidden').show();
 });
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/Allura/allura/ext/user_profile/templates/sections/projects.html 
b/Allura/allura/ext/user_profile/templates/sections/projects.html
index e774111d6..3b306ec8d 100644
--- a/Allura/allura/ext/user_profile/templates/sections/projects.html
+++ b/Allura/allura/ext/user_profile/templates/sections/projects.html
@@ -43,7 +43,7 @@
 {%- endif -%}
 
 {{project.name}}
-{{project.summary or ' '|safe}}
+{{project.summary or (' '|safe)}}
 
 
 Last Updated:
diff --git a/Allura/allura/lib/widgets/forms.py 
b/Allura/allura/lib/widgets/forms.py
index 134cd6f40..65121ed5c 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -18,6 +18,7 @@
 import logging
 from html import escape as html_escape
 
+import html
 from tg import app_globals as g, tmpl_context as c
 from formencode import validators as fev
 import formencode
@@ -616,7 +617,7 @@ class RemoveTroveCategoryForm(ForgeForm):
 text=cat.fullname,
 href="/categories/%s" % cat.trove_cat_id),
 ew.HTMLField(
-text=cat.shortname,
+text=html.escape(cat.shortname),
 attrs={'disabled': True, 'value': cat.shortname}),
 ew.SubmitButton(
 show_errors=False,
diff --git a/Allura/allura/templates/jinja_master/master.html 
b/Allura/allura/templates/jinja_master/master.html
index 72c03bc2d..6d0d829c1 100644
--- a/Allura/allura/templates/jinja_master/master.html
+++ b/Allura/allura/templates/jinja_master/master.html
@@ -173,7 +173,7 @@
 {{ theme_macros.custom_js() }}
 
 {% if flash %}
-{{ flash | safe }}
+{{ flash | safe }}{# comes from 
flash.static_template in root.py and escaped by tg.flash allow_html setting #}
 {% endif %}
 
 $(document).ready(function () {
diff --git a/Allura/allura/templates_responsive/jinja_master/master.html 
b/Allura/allura/templates_responsive/jinja_master/master.html
index be687919c..3786e2b88 100644
--- a/Allura/allura/templates_responsive/jinja_master/master.html
+++ b/Allura/allura/templates_responsive/jinja_master/master.html
@@ -161,7 +161,7 @@
 {% endif %}
 {{ theme_macros.custom_js() }}
 {% if flash %}
-