[PATCH 1/2] templatetags: Do not mark output of msgid tag as safe
Daniel Axtens
dja at axtens.net
Fri Jul 5 12:07:02 AEST 2019
From: Andrew Donnellan <ajd at linux.ibm.com>
The msgid template tag exists to remove angle brackets from either side of
the Message-ID header.
It also marks its output as safe, meaning it does not get autoescaped by
Django templating.
Its output is not safe. A maliciously crafted email can include HTML tags
inside the Message-ID header, and as long as the angle brackets are not at
the start and end of the header, we will quite happily render them.
Rather than using mark_safe(), use escape() to explicitly escape the
Message-ID.
Signed-off-by: Andrew Donnellan <ajd at linux.ibm.com>
Signed-off-by: Daniel Axtens <dja at axtens.net>
---
patchwork/templatetags/patch.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/patchwork/templatetags/patch.py b/patchwork/templatetags/patch.py
index ea5a71de362f..757f873b6043 100644
--- a/patchwork/templatetags/patch.py
+++ b/patchwork/templatetags/patch.py
@@ -5,6 +5,7 @@
# SPDX-License-Identifier: GPL-2.0-or-later
from django import template
+from django.utils.html import escape
from django.utils.safestring import mark_safe
from django.template.defaultfilters import stringfilter
@@ -64,4 +65,4 @@ def patch_checks(patch):
@register.filter
@stringfilter
def msgid(value):
- return mark_safe(value.strip('<>'))
+ return escape(value.strip('<>'))
--
2.20.1
More information about the Patchwork
mailing list