You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Maybe there's something in JavaScript. I saw innerHTML, for example. And a lot of $('....
Wherever there is escape(, it likely means that the code can be rewritten with format_html.
Try searching for [A-Z]\.format\( - most of occurrences need to be rewritten with format_html.
Considering how big the translation files are, maybe it's time to make a wrapper for gettext, trans and blocktrans which will escape the text by default.
And I might have missed something.
Describe the solution you'd like
Gradually make the code easier to assess for security, by removing |safe, mark_safe(, .innerHTML = and utilizing format_html, format_html_join, conditional_escape, etc.
Describe the problem
There is some code that is hard to check whether is safe or not. Namely:
mark_safe
usage (e.g.weblate/weblate/accounts/templatetags/site_url.py
Lines 32 to 49 in f0b4c81
weblate/weblate/trans/forms.py
Lines 275 to 277 in 6e28638
translations.py
is gonna be a pain:weblate/weblate/trans/templatetags/translations.py
Line 252 in 6e28638
|safe
usage in templates (e.g.weblate/weblate/templates/bootstrap3/field.html
Line 17 in 5821a77
HttpResponse
usage (e.g.weblate/weblate/trans/views/reports.py
Line 125 in 22d577b
innerHTML
, for example. And a lot of$('...
.escape(
, it likely means that the code can be rewritten withformat_html
.[A-Z]\.format\(
- most of occurrences need to be rewritten withformat_html
.gettext
,trans
andblocktrans
which will escape the text by default.And I might have missed something.
Describe the solution you'd like
Gradually make the code easier to assess for security, by removing
|safe
,mark_safe(
,.innerHTML =
and utilizingformat_html
,format_html_join
,conditional_escape
, etc.Describe alternatives you've considered
No response
Screenshots
No response
Additional context
These fall under this: #7676, #7683, #7696.
The text was updated successfully, but these errors were encountered: