Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape HTML output #1469

Merged
merged 4 commits into from Aug 4, 2022
Merged

Escape HTML output #1469

merged 4 commits into from Aug 4, 2022

Conversation

vanschelven
Copy link
Contributor

As per Django's documentation

Clearly, user-submitted data shouldn’t be trusted blindly and inserted
directly into your web pages, because a malicious user could use this kind of
hole to do potentially bad things. This type of security exploit is called a
Cross Site Scripting (XSS) attack.

To avoid this problem, you have two options:

  • One, you can make sure to run each untrusted variable through the escape
    filter (documented below), which converts potentially harmful HTML characters
    to unharmful ones.

@vanschelven
Escape HTML output
7b9576e 
As per Django's documentation

> Clearly, user-submitted data shouldn’t be trusted blindly and inserted
> directly into your web pages, because a malicious user could use this kind of
> hole to do potentially bad things. This type of security exploit is called a
> Cross Site Scripting (XSS) attack.

> To avoid this problem, you have two options:
>
> * One, you can make sure to run each untrusted variable through the escape
>   filter (documented below), which converts potentially harmful HTML characters
>   to unharmful ones.
@matthewhegarty
Copy link
Contributor

Hi Klaas - thanks so much for raising the issues and suggesting PRs, we appreciate it. I would recommend you test against v3 which is in beta (branch is release-3-x).

There are a lot of changes coming in v3. You'd be very welcome to submit PRs in either v2 or v3, but please check out the contribution guide first. v3 is going to soon become the mainline version, with v2 supported for some time for bug fixes.

@vanschelven
Copy link
Contributor Author

This particular PR does not apply on release-3-x; given its nature, might I suggest merging it into master anyway?

@vanschelven
Copy link
Contributor Author

@matthewhegarty anything I can do to move this PR and the others forward?

@matthewhegarty
Copy link
Contributor

I'll have to take a look when I get some time - maybe at the weekend. Thanks for your contributions.

@matthewhegarty
Copy link
Contributor

Thanks again for submitting this. I fixed the isort error and updated changelog. If you are ok with that I will merge.

@coveralls
Copy link

coveralls commented Aug 4, 2022
edited

Coverage Status

Coverage remained the same at 98.397% when pulling 2c6cd3e on vanschelven:escape-html-output into a0b4dfc on django-import-export:main.

@vanschelven
Copy link
Contributor Author

LGTM, feel free to merge

@matthewhegarty matthewhegarty merged commit 38e9f95 into django-import-export:main Aug 4, 2022
@vanschelven
Copy link
Contributor Author

@matthewhegarty any chance you could release 2.8.1 to include this PR (and a few others) in a proper release?

@matthewhegarty
Copy link
Contributor

2.9.0 released

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vanschelven @matthewhegarty @coveralls