Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix a XSS vulnerability in the gravatar template tag.
The generated gravatar HTML wasn't handling escaping of the display name of the user, allowing an attacker to choose a name that would close out the <img> tag and inject a <script> tag. By switching to Django's format_html(), we can guarantee safe escaping of content.
- Loading branch information
Showing
2 changed files
with
39 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| from __future__ import unicode_literals | ||
|
|
||
| from django.contrib.auth.models import User | ||
| from django.template import Token, TOKEN_TEXT | ||
|
|
||
| from djblets.testing.testcases import TagTest | ||
| from djblets.gravatars.templatetags.gravatars import gravatar | ||
|
|
||
|
|
||
| class DummyRequest(object): | ||
| def is_secure(self): | ||
| return False | ||
|
|
||
|
|
||
| class TagTests(TagTest): | ||
| """Unit tests for gravatars template tags.""" | ||
| def test_gravatar_xss(self): | ||
| """Testing {% gravatar %} doesn't allow XSS injection""" | ||
| user = User(username='test', | ||
| first_name='"><script>alert(1);</script><"', | ||
| email='test@example.com') | ||
|
|
||
| node = gravatar(self.parser, Token(TOKEN_TEXT, 'gravatar user 32')) | ||
| context = { | ||
| 'request': DummyRequest(), | ||
| 'user': user, | ||
| } | ||
|
|
||
| self.assertEqual( | ||
| node.render(context), | ||
| '<img src="http://www.gravatar.com/avatar/' | ||
| '55502f40dc8b7c769880b10874abc9d0?s=32" width="32" height="32" ' | ||
| 'alt=""><script>alert(1);</script><"" ' | ||
| 'class="gravatar"/>') |