Escape link content to avoid malicious behaviour.

See #MOD-911
IMIO · May 31, 2022 · e3e1af8 · e3e1af8
1 parent cb86cb1
commit e3e1af8
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,8 +4,8 @@ Changelog
 1.20 (unreleased)
 -----------------
 
-- Nothing changed yet.
-
+- Escape link content to avoid malicious behaviour.
+  [gbastien]
 
 1.19 (2022-01-12)
 -----------------

diff --git a/src/imio/prettylink/adapters.py b/src/imio/prettylink/adapters.py
@@ -10,6 +10,8 @@
 from Products.CMFPlone.utils import safe_unicode
 from zope.i18n import translate
 
+import cgi
+
 
 class PrettyLinkAdapter(object):
     """Adapter that manage rendering the pretty link."""
@@ -118,6 +120,10 @@ def _getLink(self):
         icons_tag = (
             icons and u"<span class='pretty_link_icons'>{0}</span>".format(icons) or ""
         )
+        # as link is rendered using "structure", escape various texts
+        content = cgi.escape(content)
+        title = cgi.escape(title)
+        self.target = cgi.escape(self.target)
         if self.isViewable:
             url = self._get_url()
             css_classes = self.CSSClasses()

diff --git a/src/imio/prettylink/testing.py b/src/imio/prettylink/testing.py
@@ -74,3 +74,4 @@ def setUp(self):
         self.folder = self.portal.folder
         self.folder2 = self.portal.folder2
         self.catalog = self.portal.portal_catalog
+        self.maxDiff = None
diff --git a/src/imio/prettylink/tests/test_adapter.py b/src/imio/prettylink/tests/test_adapter.py
@@ -9,6 +9,7 @@
 
 
 class TestPrettyLinkAdapter(IntegrationTestCase):
+
     def invalidate_cache(self):
         cache = getUtility(ICacheChooser)("imio.prettylink.adapters.getLink")
         cache.ramcache.invalidate("imio.prettylink.adapters.getLink")
@@ -266,3 +267,20 @@ def test_getLink_link_tooltip(self):
             u"<a class='pretty_link' href='http://nohost/plone/folder' "
             u"target='_self'><span class='pretty_link_content state-private'>Folder</span></a>",
         )
+
+    def test_getLink_escape_dangerous_characters(self):
+        """As link is rendered, make sure we can not embed dangerous things."""
+        self.folder.setTitle('Folder"><script>alert(document.domain)</script>')
+        pl = IPrettyLink(self.folder)
+        self.assertEqual(
+            pl.getLink(),
+            u'<a class=\'pretty_link\' title=\'Folder"&gt;&lt;script&gt;alert(document.domain)'
+            u'&lt;/script&gt;\' href=\'http://nohost/plone/folder\' target=\'_self\'><span '
+            u'class=\'pretty_link_content state-private\'>Folder"&gt;&lt;script&gt;alert'
+            u'(document.domain)&lt;/script&gt;</span></a>')
+        pl.tag_title = "tag_title<>"
+        pl.contentValue = "contentValue<>"
+        self.assertEqual(
+            pl.getLink(),
+            u"<a class='pretty_link' title='tag_title&lt;&gt;' href='http://nohost/plone/folder' "
+            u"target='_self'><span class='pretty_link_content state-private'>contentValue&lt;&gt;</span></a>")