From c0f92b9a47294e03aed16a3df64889b5cea04320 Mon Sep 17 00:00:00 2001
From: evereux <evereux@gmail.com>
Date: Tue, 30 Nov 2021 12:07:26 +0000
Subject: [PATCH] fixes to xss vulernabilities reported in #57

---
 application/__init__.py                       |  8 ++---
 application/flicket/models/flicket_models.py  |  1 -
 .../flicket/scripts/jinja2_functions.py       | 32 -------------------
 .../flicket/templates/flicket_delete.html     |  2 +-
 .../templates/flicket_flashmessages.html      |  2 +-
 .../flicket/templates/flicket_history.html    |  6 +++-
 .../flicket/templates/flicket_post.html       | 21 ++++++------
 .../flicket/templates/flicket_view.html       | 21 ++++++++----
 application/flicket/views/delete.py           | 10 +++---
 docs/conf.py                                  |  2 +-
 10 files changed, 42 insertions(+), 63 deletions(-)

diff --git a/application/__init__.py b/application/__init__.py
index 82938c5..6fcd069 100644
--- a/application/__init__.py
+++ b/application/__init__.py
@@ -25,16 +25,15 @@
 from flask_pagedown import PageDown
 from flask_sqlalchemy import SQLAlchemy
 from flask_babel import Babel
+from flaskext.markdown import Markdown
 
 from application.flicket_admin.views import admin_bp
 from application.flicket_api.views import bp_api
 from application.flicket_errors import bp_errors
 from application.flicket.views import flicket_bp
-from application.flicket.scripts.jinja2_functions import display_post_box
 from application.flicket.scripts.jinja2_functions import now_year
-from application.flicket.scripts.jinja2_functions import show_markdown
 
-__version__ = '0.2.6'
+__version__ = '0.2.7'
 
 app = Flask(__name__)
 app.config.from_object('config.BaseConfiguration')
@@ -45,9 +44,10 @@
 pagedown = PageDown(app)
 
 babel = Babel(app)
+Markdown(app)
 
 # import jinja function
-app.jinja_env.globals.update(display_post_box=display_post_box, show_markdown=show_markdown, now_year=now_year)
+app.jinja_env.globals.update(now_year=now_year)
 
 # import models so alembic can see them
 # noinspection PyPep8
diff --git a/application/flicket/models/flicket_models.py b/application/flicket/models/flicket_models.py
index 03c4782..15e6cc9 100644
--- a/application/flicket/models/flicket_models.py
+++ b/application/flicket/models/flicket_models.py
@@ -323,7 +323,6 @@ def my_tickets(ticket_query):
 
         return ticket_query
 
-
     @staticmethod
     def my_subscribed_tickets(ticket_query):
         """
diff --git a/application/flicket/scripts/jinja2_functions.py b/application/flicket/scripts/jinja2_functions.py
index f9286ae..1e229e5 100644
--- a/application/flicket/scripts/jinja2_functions.py
+++ b/application/flicket/scripts/jinja2_functions.py
@@ -5,38 +5,6 @@
 
 from flask import render_template
 
-from markdown import markdown
-
-
-def display_post_box(ticket=None, post=None, replies=None, loop=None, page=None):
-    """
-    :param ticket: object containing ticket information
-    :param post: 
-    :param replies:
-    :param loop: 
-    :param page: 
-    :return: 
-    """
-
-    if post is None:
-        content = ticket
-    else:
-        content = post
-
-    return render_template('flicket_post.html', ticket=ticket, post=post, content=content, replies=replies, loop=loop,
-                           page=page)
-
-
-def show_markdown(text):
-    """
-    Function to convert text to markdown.
-    :param text:
-    :return:
-    """
-    html = markdown(text, safemode="escape")
-
-    return html
-
 
 def now_year():
     return datetime.datetime.now().strftime('%Y')
diff --git a/application/flicket/templates/flicket_delete.html b/application/flicket/templates/flicket_delete.html
index c4f8016..ad5179e 100644
--- a/application/flicket/templates/flicket_delete.html
+++ b/application/flicket/templates/flicket_delete.html
@@ -15,7 +15,7 @@ <h1 class="text-center">{{ title }}</h1>
                 <div class="col">
                     <div class="row">
                         <div class="col">
-                            <p>{{ notification|safe }}</p>
+                            <p>{{ notification }}</p>
                         </div>
                     </div>
                     <div class="row">
diff --git a/application/flicket/templates/flicket_flashmessages.html b/application/flicket/templates/flicket_flashmessages.html
index 0c9ade6..9e66293 100644
--- a/application/flicket/templates/flicket_flashmessages.html
+++ b/application/flicket/templates/flicket_flashmessages.html
@@ -3,7 +3,7 @@
         <div class="container">
             <div class=" col alert alert-{{ messages.0.0 }}" role="alert">
                 {% for category, message in messages %}
-                    {{ message | safe }} <br>
+                    {{ message }} <br>
                 {% endfor %}
             </div>
         </div>
diff --git a/application/flicket/templates/flicket_history.html b/application/flicket/templates/flicket_history.html
index 840f860..37c2846 100644
--- a/application/flicket/templates/flicket_history.html
+++ b/application/flicket/templates/flicket_history.html
@@ -30,7 +30,11 @@ <h2>
                             {% if history %}
                                 {% for h in history %}
                                     <dt>{{ h.user.name }} {{ _('originally wrote on') }} {{ h.date_modified }}</dt>
-                                    <dd>{{ show_markdown(h.original_content)|safe }}</dd>
+                                    <dd>
+                                        {% filter markdown %}
+                                            {{ h.original_content }}
+                                        {% endfilter %}
+                                    </dd>
                                 {% endfor %}
                             {% else %}
                                 <dd>{{ _('No changes have been made to the post content.') }}</dd>
diff --git a/application/flicket/templates/flicket_post.html b/application/flicket/templates/flicket_post.html
index dc426f7..ca8e8c8 100644
--- a/application/flicket/templates/flicket_post.html
+++ b/application/flicket/templates/flicket_post.html
@@ -39,11 +39,11 @@
 
         <div class="row border-bottom m-0 p-2">
             <div class="col-auto">
-                {% if replies %}
-                    <a class="anchor" id="{{ content.id }}" href="#{{ content.id }}">Reply #{{ (replies.page - 1)
+                {% if _replies %}
+                    <a class="anchor" id="{{ content.id }}" href="#{{ content.id }}">Reply #{{ (_replies.page - 1)
                     *
-                    replies.per_page
-                    + loop.index }}</a>
+                    _replies.per_page
+                    + post_loop.index }}</a>
                     |
                 {% endif %}
                 {{ content.date_added.strftime('%d-%m-%Y %H:%M') }}
@@ -78,7 +78,9 @@
 
         <div class="row border-bottom m-0  p-2">
             <div class="col">
-                {{- show_markdown(content.content)|safe -}}
+                {% filter markdown %}
+                    {{ content.content }}
+                {% endfilter %}
                 {%- if content.modified_id -%}
                     <div class="">
                         {{ _('This post was modified by') }} {{ content.modified.name }}
@@ -103,13 +105,14 @@
             <div class="col">
                 {%- if content.uploads -%}
                     {%- for upload in content.uploads %}
-                        <a class="flicket-tickets-title" href="{{ url_for('flicket_bp.view_ticket_uploads', filename=upload.filename) }}"
+                        <a class="flicket-tickets-title"
+                           href="{{ url_for('flicket_bp.view_ticket_uploads', filename=upload.filename) }}"
                            title="{{ upload.original_filename }}"
                            target="_blank">
                             {% if upload.original_filename|length > 12 %}
-                            {{ upload.original_filename[0:12] }}...{{ upload.original_filename[-3:] }}
+                                {{ upload.original_filename[0:12] }}...{{ upload.original_filename[-3:] }}
                             {% else %}
-                            {{ upload.original_filename }}
+                                {{ upload.original_filename }}
                             {% endif %}
                             <i class="fas fa-file"></i>
                         </a>
@@ -118,7 +121,7 @@
             </div>
             <div class="col-auto text-right">
                 {%- if post -%}
-                    {%-   set pid = post.id -%}
+                    {%- set pid = post.id -%}
                 {%- else -%}
                     {%- set pid = None -%}
                     {%- set rid = ticket.id -%}
diff --git a/application/flicket/templates/flicket_view.html b/application/flicket/templates/flicket_view.html
index 93c269f..1e05195 100644
--- a/application/flicket/templates/flicket_view.html
+++ b/application/flicket/templates/flicket_view.html
@@ -141,7 +141,7 @@
                     {{ subscribers_form.username(class="form-control form-control-sm mr-1", id="autocomplete-username", placeholder="User Name") }}
                 </div>
                 {% if subscribers_form.username.errors %}
-                        <div class="btn btn-warning btn-sm">Invalid username.</div>
+                    <div class="btn btn-warning btn-sm">Invalid username.</div>
                 {% endif %}
                 <div class="col">
                     {{ subscribers_form.sub_user(class="btn btn-primary btn-sm") }}
@@ -195,15 +195,17 @@
             </div>
         </div>
 
-        <!-- display ticket-->
-        {{ display_post_box(ticket, page=page)|safe }}
-        <!-- end display ticket -->
+        <!-- display initial ticket request -->
+        {% set content = ticket %}
+        {% set _replies = None %}
+        {% include('flicket_post.html') %}
+        <!-- end display initial ticket request -->
 
         <!-- display actions -->
         {% for action in ticket.actions_nonepost %}
             <div class="row m-3">
                 <div class="col border rounded p-1 flicket-action">
-                    {{ action.output_action()|safe }}
+                    {{ action.output_action() }}
                 </div>
             </div>
         {% endfor %}
@@ -212,13 +214,18 @@
         <!-- flicket ticket replies -->
         {% for r in replies.items %}
             <!-- display replies -->
-            {{ display_post_box(ticket=ticket, post=r, replies=replies, loop=loop, page=page)|safe }}
+            {% set ticket = ticket %}
+            {% set _replies = replies %}
+            {% set post = r %}
+            {% set post_loop = loop %}
+            {% set content = post %}
+            {% include('flicket_post.html') %}
 
             <!-- display actions -->
             {% for action in r.actions %}
                 <div class="row m-3">
                     <div class="col border rounded p-1 flicket-action">
-                        {{ action.output_action()|safe }}
+                        {{ action.output_action() }}
                     </div>
                 </div>
             {% endfor %}
diff --git a/application/flicket/views/delete.py b/application/flicket/views/delete.py
index ec82f1e..ae7a4ff 100644
--- a/application/flicket/views/delete.py
+++ b/application/flicket/views/delete.py
@@ -138,10 +138,8 @@ def delete_category(category_id=False):
             flash('Category deleted', category='success')
             return redirect(url_for('flicket_bp.departments'))
 
-        notification = "You are trying to delete category <span class=\"label label-default\">{}</span> that belongs " \
-                       "to department <span class=\"label label-default\">{}</span>.".format(
-                        category.category,
-                        category.department.department)
+        notification = "You are trying to delete category: {} that belongs " \
+                       "to department: {}.".format(category.category.upper(), category.department.department.upper())
 
         title = gettext('Delete Category')
 
@@ -187,8 +185,8 @@ def delete_department(department_id=False):
             return redirect(url_for('flicket_bp.departments'))
 
         notification = gettext(
-            "You are trying to delete department <span class=\"label label-default\">%(value)s</span>.",
-            value=department.department)
+            "You are trying to delete department: %(value)s.",
+            value=department.department.upper())
 
         title = gettext('Delete Department')
 
diff --git a/docs/conf.py b/docs/conf.py
index a9df441..49088f8 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -24,7 +24,7 @@
 author = 'evereux@gmail.com'
 
 # The full version, including alpha/beta/rc tags
-release = '0.2.6'
+release = '0.2.7'
 
 # -- General configuration ---------------------------------------------------