From a2b169ffdef1d7c1755bade8138578423b35011b Mon Sep 17 00:00:00 2001 From: Alexander Todorov Date: Mon, 7 Nov 2022 17:52:57 +0200 Subject: [PATCH] Clean HTML input when generating history diff helps us prevent XSS attacks --- tcms/core/history.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tcms/core/history.py b/tcms/core/history.py index abc2edc264..76a9fcccc2 100644 --- a/tcms/core/history.py +++ b/tcms/core/history.py @@ -8,6 +8,8 @@ from simple_history.admin import SimpleHistoryAdmin from simple_history.models import HistoricalRecords +from tcms.core.templatetags.extra_filters import bleach_input + def diff_objects(old_instance, new_instance, fields): """ @@ -20,6 +22,13 @@ def diff_objects(old_instance, new_instance, fields): field_diff = [] old_value = getattr(old_instance, field.attname) new_value = getattr(new_instance, field.attname) + + # clean stored XSS + if isinstance(old_value, str): + old_value = bleach_input(old_value) + if isinstance(new_value, str): + new_value = bleach_input(new_value) + for line in difflib.unified_diff( str(old_value).split("\n"), str(new_value).split("\n"),