Skip to content
Permalink
Browse files Browse the repository at this point in the history
Escaped some column rendering to avoid xss
  • Loading branch information
sgeulette committed Jun 10, 2022
1 parent 42f9df8 commit 1aac7f8
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 18 deletions.
5 changes: 3 additions & 2 deletions CHANGES.rst
Expand Up @@ -4,8 +4,9 @@ Changelog
3.0.9 (unreleased)
------------------

- Nothing changed yet.

- Required z3c.table 2.2 to include escaping, to avoid xss.
Escaped some columns.
[sgeulette]

3.0.8 (2022-05-13)
------------------
Expand Down
3 changes: 2 additions & 1 deletion setup.py
Expand Up @@ -47,10 +47,11 @@
'plone.directives.form',
'plone.formwidget.masterselect',
'plone.principalsource',
'future',
'imio.helpers',
'imio.migrator',
'setuptools',
'z3c.table',
'z3c.table>=2.2',
],
extras_require={
'test': [
Expand Down
20 changes: 5 additions & 15 deletions src/collective/task/browser/table.py
Expand Up @@ -4,6 +4,8 @@
from collective.task import _
from collective.task import PMF
from collective.task.adapters import EMPTY_STRING
from html import escape
from imio.helpers.adapters import NoEscapeLinkColumn
from plone import api
from Products.CMFPlone.utils import normalizeString
from Products.CMFPlone.utils import safe_unicode
Expand All @@ -20,7 +22,6 @@


class TasksTable(Table):

"""Table that displays tasks info."""

cssClassEven = u'even'
Expand Down Expand Up @@ -49,7 +50,6 @@ def values(self):


class UserColumn(Column):

"""Base user column."""

field = NotImplemented
Expand All @@ -58,13 +58,12 @@ def renderCell(self, value):
username = getattr(value, self.field, '')
if username and username != EMPTY_STRING:
member = api.user.get(username)
return member.getUser().getProperty('fullname').decode('utf-8')
return escape(member.getUser().getProperty('fullname').decode('utf-8'))

return ""


class TitleColumn(LinkColumn):

"""Column that displays title."""

header = PMF("Title")
Expand All @@ -79,7 +78,6 @@ def getLinkContent(self, item):


class PrettyLinkTitleColumn(TitleColumn):

"""Column that displays prettylink title."""

header = PMF("Title")
Expand All @@ -99,7 +97,6 @@ def renderCell(self, item):


class EnquirerColumn(UserColumn):

"""Column that displays enquirer."""

header = _("Enquirer")
Expand All @@ -108,7 +105,6 @@ class EnquirerColumn(UserColumn):


class AssignedGroupColumn(Column):

"""Column that displays assigned group."""

header = _("Assigned group")
Expand All @@ -117,13 +113,11 @@ class AssignedGroupColumn(Column):
def renderCell(self, value):
if value.assigned_group:
group = api.group.get(value.assigned_group).getGroup()
return group.getProperty('title').decode('utf-8')

return escape(group.getProperty('title').decode('utf-8'))
return ""


class AssignedUserColumn(UserColumn):

"""Column that displays assigned user."""

header = _("Assigned user")
Expand All @@ -132,7 +126,6 @@ class AssignedUserColumn(UserColumn):


class DueDateColumn(Column):

"""Column that displays due date."""

header = _("Due date")
Expand All @@ -144,12 +137,10 @@ def renderCell(self, value):
if value.due_date:
return api.portal.get_localized_time(datetime=value.due_date, long_format=self.long_format,
time_only=self.time_only)

return ""


class ReviewStateColumn(Column):

"""Column that displays value's review state."""

header = PMF("Review state")
Expand All @@ -160,6 +151,5 @@ def renderCell(self, value):
if state:
wtool = api.portal.get_tool('portal_workflow')
state_title = wtool.getTitleForStateOnType(state, value.portal_type)
return translate(PMF(state_title), context=self.request)

return escape(translate(PMF(state_title), context=self.request))
return ''

0 comments on commit 1aac7f8

Please sign in to comment.