Merge pull request #599 from cisagov/CD-command-injection-fixes

Update fixes for command injections at bulletin_generator
cisagov · Jul 14, 2023 · 818ecce · 818ecce
2 parents bb77b5e + 94059ce
commit 818ecce
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/src/pe_reports/helpers/bulletin/bulletin_generator.py b/src/pe_reports/helpers/bulletin/bulletin_generator.py
@@ -11,6 +11,7 @@
 
 # Standard Python Libraries
 import datetime
+import html
 import logging
 import os
 
@@ -50,6 +51,7 @@ def html_builder(text):
     if input_type == "P":
         LOGGER.info("Paragraph Selected")
         paragraph = input("Please enter paragraph text:")
+        paragraph = html.escape(paragraph)
         paragraph = f"<p> {paragraph} </p>"
         text = text + f"\n {paragraph}"
 
@@ -58,6 +60,7 @@ def html_builder(text):
         bullets = "<ul>\n"
         while True:
             item = input("Enter line item: ")
+            item = html.escape(item)
             if item == "D":
                 bullets = bullets + "</ul>"
                 break
@@ -69,6 +72,7 @@ def html_builder(text):
         bullets = "<ol>\n"
         while True:
             item = input("Enter line item: ")
+            item = html.escape(item)
             if item == "D":
                 bullets = bullets + "</ol>"
                 break
@@ -78,6 +82,7 @@ def html_builder(text):
         LOGGER.info("Invalid Selection")
 
     cont = input("Would you like to add more content (Y/N): ")
+    cont = html.escape(cont)
     if cont == "Y":
         text = html_builder(text)
 

diff --git a/src/pe_reports/report_gen/templates/report_gen_UI/home_report_gen.html b/src/pe_reports/report_gen/templates/report_gen_UI/home_report_gen.html
@@ -120,7 +120,6 @@
   </div>
 </div>
 
-<div id="loading" class="justify-content-lg-center"></div>
 <div class="row justify-content-lg-center">
   <div class="row col-lg-6 offset-lg-3">
     <input type="hidden" value="{% block title %} Stakeholder {% endblock %}" />

diff --git a/src/pe_reports/static/css/custom.css b/src/pe_reports/static/css/custom.css
@@ -2,9 +2,6 @@ body {
   background-color: #324ca8;
 }
 
-.htmx-settling img {
-  opacity: 0;
-}
 img {
   transition: opacity 300ms ease-in;
 }

diff --git a/src/pe_reports/templates/base.html b/src/pe_reports/templates/base.html
@@ -24,7 +24,6 @@
       crossorigin="anonymous"
     ></script>
     <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
-    <script src="../static/js/htmx.js"></script>
 
     <nav class="navbar navbar-expand-lg navbar-dark bg-dark">
       <div class="container-fluid">