Skip to content

Commit

Permalink
fixes to xss vulernabilities reported in #57
Browse files Browse the repository at this point in the history
  • Loading branch information
@evereux
evereux committed Nov 30, 2021
1 parent 74d4dc5 commit c0f92b9
Show file tree
Hide file tree
Showing 10 changed files with 42 additions and 63 deletions.
8 changes: 4 additions & 4 deletions application/__init__.py
View file
Expand Up @@ -25,16 +25,15 @@
from flask_pagedown import PageDown
from flask_sqlalchemy import SQLAlchemy
from flask_babel import Babel
from flaskext.markdown import Markdown

from application.flicket_admin.views import admin_bp
from application.flicket_api.views import bp_api
from application.flicket_errors import bp_errors
from application.flicket.views import flicket_bp
from application.flicket.scripts.jinja2_functions import display_post_box
from application.flicket.scripts.jinja2_functions import now_year
from application.flicket.scripts.jinja2_functions import show_markdown

__version__ = '0.2.6'
__version__ = '0.2.7'

app = Flask(__name__)
app.config.from_object('config.BaseConfiguration')
Expand All @@ -45,9 +44,10 @@
pagedown = PageDown(app)

babel = Babel(app)
Markdown(app)

# import jinja function
app.jinja_env.globals.update(display_post_box=display_post_box, show_markdown=show_markdown, now_year=now_year)
app.jinja_env.globals.update(now_year=now_year)

# import models so alembic can see them
# noinspection PyPep8
Expand Down
1 change: 0 additions & 1 deletion application/flicket/models/flicket_models.py
View file
Expand Up @@ -323,7 +323,6 @@ def my_tickets(ticket_query):

return ticket_query


@staticmethod
def my_subscribed_tickets(ticket_query):
"""
Expand Down
32 changes: 0 additions & 32 deletions application/flicket/scripts/jinja2_functions.py
View file
Expand Up @@ -5,38 +5,6 @@

from flask import render_template

from markdown import markdown


def display_post_box(ticket=None, post=None, replies=None, loop=None, page=None):
"""
:param ticket: object containing ticket information
:param post:
:param replies:
:param loop:
:param page:
:return:
"""

if post is None:
content = ticket
else:
content = post

return render_template('flicket_post.html', ticket=ticket, post=post, content=content, replies=replies, loop=loop,
page=page)


def show_markdown(text):
"""
Function to convert text to markdown.
:param text:
:return:
"""
html = markdown(text, safemode="escape")

return html


def now_year():
return datetime.datetime.now().strftime('%Y')
2 changes: 1 addition & 1 deletion application/flicket/templates/flicket_delete.html
View file
Expand Up @@ -15,7 +15,7 @@ <h1 class="text-center">{{ title }}</h1>
<div class="col">
<div class="row">
<div class="col">
<p>{{ notification|safe }}</p>
<p>{{ notification }}</p>
</div>
</div>
<div class="row">
Expand Down
2 changes: 1 addition & 1 deletion application/flicket/templates/flicket_flashmessages.html
View file
Expand Up @@ -3,7 +3,7 @@
<div class="container">
<div class=" col alert alert-{{ messages.0.0 }}" role="alert">
{% for category, message in messages %}
{{ message | safe }} <br>
{{ message }} <br>
{% endfor %}
</div>
</div>
Expand Down
6 changes: 5 additions & 1 deletion application/flicket/templates/flicket_history.html
View file
Expand Up @@ -30,7 +30,11 @@ <h2>
{% if history %}
{% for h in history %}
<dt>{{ h.user.name }} {{ _('originally wrote on') }} {{ h.date_modified }}</dt>
<dd>{{ show_markdown(h.original_content)|safe }}</dd>
<dd>
{% filter markdown %}
{{ h.original_content }}
{% endfilter %}
</dd>
{% endfor %}
{% else %}
<dd>{{ _('No changes have been made to the post content.') }}</dd>
Expand Down
21 changes: 12 additions & 9 deletions application/flicket/templates/flicket_post.html
View file
Expand Up @@ -39,11 +39,11 @@

<div class="row border-bottom m-0 p-2">
<div class="col-auto">
{% if replies %}
<a class="anchor" id="{{ content.id }}" href="#{{ content.id }}">Reply #{{ (replies.page - 1)
{% if _replies %}
<a class="anchor" id="{{ content.id }}" href="#{{ content.id }}">Reply #{{ (_replies.page - 1)
*
replies.per_page
+ loop.index }}</a>
_replies.per_page
+ post_loop.index }}</a>
|
{% endif %}
{{ content.date_added.strftime('%d-%m-%Y %H:%M') }}
Expand Down Expand Up @@ -78,7 +78,9 @@

<div class="row border-bottom m-0 p-2">
<div class="col">
{{- show_markdown(content.content)|safe -}}
{% filter markdown %}
{{ content.content }}
{% endfilter %}
{%- if content.modified_id -%}
<div class="">
{{ _('This post was modified by') }} {{ content.modified.name }}
Expand All @@ -103,13 +105,14 @@
<div class="col">
{%- if content.uploads -%}
{%- for upload in content.uploads %}
<a class="flicket-tickets-title" href="{{ url_for('flicket_bp.view_ticket_uploads', filename=upload.filename) }}"
<a class="flicket-tickets-title"
href="{{ url_for('flicket_bp.view_ticket_uploads', filename=upload.filename) }}"
title="{{ upload.original_filename }}"
target="_blank">
{% if upload.original_filename|length > 12 %}
{{ upload.original_filename[0:12] }}...{{ upload.original_filename[-3:] }}
{{ upload.original_filename[0:12] }}...{{ upload.original_filename[-3:] }}
{% else %}
{{ upload.original_filename }}
{{ upload.original_filename }}
{% endif %}
<i class="fas fa-file"></i>
</a>
Expand All @@ -118,7 +121,7 @@
</div>
<div class="col-auto text-right">
{%- if post -%}
{%- set pid = post.id -%}
{%- set pid = post.id -%}
{%- else -%}
{%- set pid = None -%}
{%- set rid = ticket.id -%}
Expand Down
21 changes: 14 additions & 7 deletions application/flicket/templates/flicket_view.html
View file
Expand Up @@ -141,7 +141,7 @@
{{ subscribers_form.username(class="form-control form-control-sm mr-1", id="autocomplete-username", placeholder="User Name") }}
</div>
{% if subscribers_form.username.errors %}
<div class="btn btn-warning btn-sm">Invalid username.</div>
<div class="btn btn-warning btn-sm">Invalid username.</div>
{% endif %}
<div class="col">
{{ subscribers_form.sub_user(class="btn btn-primary btn-sm") }}
Expand Down Expand Up @@ -195,15 +195,17 @@
</div>
</div>

<!-- display ticket-->
{{ display_post_box(ticket, page=page)|safe }}
<!-- end display ticket -->
<!-- display initial ticket request -->
{% set content = ticket %}
{% set _replies = None %}
{% include('flicket_post.html') %}
<!-- end display initial ticket request -->

<!-- display actions -->
{% for action in ticket.actions_nonepost %}
<div class="row m-3">
<div class="col border rounded p-1 flicket-action">
{{ action.output_action()|safe }}
{{ action.output_action() }}
</div>
</div>
{% endfor %}
Expand All @@ -212,13 +214,18 @@
<!-- flicket ticket replies -->
{% for r in replies.items %}
<!-- display replies -->
{{ display_post_box(ticket=ticket, post=r, replies=replies, loop=loop, page=page)|safe }}
{% set ticket = ticket %}
{% set _replies = replies %}
{% set post = r %}
{% set post_loop = loop %}
{% set content = post %}
{% include('flicket_post.html') %}

<!-- display actions -->
{% for action in r.actions %}
<div class="row m-3">
<div class="col border rounded p-1 flicket-action">
{{ action.output_action()|safe }}
{{ action.output_action() }}
</div>
</div>
{% endfor %}
Expand Down
10 changes: 4 additions & 6 deletions application/flicket/views/delete.py
View file
Expand Up @@ -138,10 +138,8 @@ def delete_category(category_id=False):
flash('Category deleted', category='success')
return redirect(url_for('flicket_bp.departments'))

notification = "You are trying to delete category <span class=\"label label-default\">{}</span> that belongs " \
"to department <span class=\"label label-default\">{}</span>.".format(
category.category,
category.department.department)
notification = "You are trying to delete category: {} that belongs " \
"to department: {}.".format(category.category.upper(), category.department.department.upper())

title = gettext('Delete Category')

Expand Down Expand Up @@ -187,8 +185,8 @@ def delete_department(department_id=False):
return redirect(url_for('flicket_bp.departments'))

notification = gettext(
"You are trying to delete department <span class=\"label label-default\">%(value)s</span>.",
value=department.department)
"You are trying to delete department: %(value)s.",
value=department.department.upper())

title = gettext('Delete Department')

Expand Down
2 changes: 1 addition & 1 deletion docs/conf.py
View file
Expand Up @@ -24,7 +24,7 @@
author = 'evereux@gmail.com'

# The full version, including alpha/beta/rc tags
release = '0.2.6'
release = '0.2.7'

# -- General configuration ---------------------------------------------------

Expand Down

0 comments on commit c0f92b9

Please sign in to comment.