Skip to content

Commit 398c480

Browse files
committed
Remove the striptags functionality, fixes some instances of XSS, issue #3
1 parent 12948c1 commit 398c480

6 files changed

+42
-46
lines changed

Diff for: apps/common/templates/calculate_form_title.html

+4-8
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,6 @@
11
{% load i18n %}
22
{% if title %}
3-
{% if striptags %}
4-
{{ title|capfirst|striptags }}
5-
{% else %}
6-
{{ title|capfirst|safe }}
7-
{% endif %}
3+
{{ title|capfirst }}
84
{% else %}
95
{% if read_only %}
106
{% if object_name %}
@@ -15,16 +11,16 @@
1511
{% else %}
1612
{% if object %}
1713
{% if object_name %}
18-
{% blocktrans %}Edit {{ object_name }}:{% endblocktrans %} {% if not striptags %}<a href="{{ object.get_absolute_url }}">{% endif %}{{ object|capfirst }}{% if not striptags %}</a>{% endif %}
14+
{% blocktrans with object as object and object_name as object_name %}Edit {{ object_name }}: {{ object }}{% endblocktrans %}
1915
{% else %}
20-
{% trans "Edit" %}: {% if not striptags %}<a href="{{ object.get_absolute_url }}">{% endif %}{{ object|capfirst }}{% if not striptags %}</a>{% endif %}
16+
{% blocktrans with object as object %}Edit: {{ object }}{% endblocktrans %}
2117
{% endif %}
2218
{% else %}
2319
{% if object_name %}
2420
{% blocktrans %}Create new {{ object_name }}{% endblocktrans %}
2521
{% else %}
2622
{% trans "Create" %}
2723
{% endif %}
28-
{% endif %}
24+
{% endif %}
2925
{% endif %}
3026
{% endif %}

Diff for: apps/common/templates/generic_detail.html

+14-14
Original file line numberDiff line numberDiff line change
@@ -2,15 +2,15 @@
22
{% load i18n %}
33
{% load subtemplates_tags %}
44

5-
{% block title %} :: {% with "true" as read_only %}{% with "true" as striptags %}{% include "calculate_form_title.html" %}{% endwith %}{% endwith %}{% endblock %}
5+
{% block title %} :: {% with "true" as read_only %}{% include "calculate_form_title.html" %}{% endwith %}{% endblock %}
66

77
{% block sidebar %}
88
{% for subtemplate in sidebar_subtemplates %}
99
<div class="generic_subform">
1010
{% include subtemplate %}
11-
</div>
11+
</div>
1212
{% endfor %}
13-
13+
1414
{% for subtemplate in sidebar_subtemplates_list %}
1515
{% with "true" as side_bar %}
1616
{% if subtemplate.form %}
@@ -26,18 +26,18 @@
2626
{% endif %}
2727
</div>
2828
{% if subtemplate.grid_clear or not subtemplate.grid %}
29-
<div class=""></div>
29+
<div class=""></div>
3030
{% endif %}
3131
{% endwith %}
32-
{% endfor %}
32+
{% endfor %}
3333
{% endblock %}
3434

3535
{% block stylesheets %}
3636
<style type="text/css">
37-
#subform form textarea,
37+
#subform form textarea,
3838
#subform form select option,
39-
#subform form input,
40-
#subform form select,
39+
#subform form input,
40+
#subform form select,
4141
#subform form input { background: none; color: black; border: none; }
4242
</style>
4343
{% endblock %}
@@ -51,14 +51,14 @@
5151
</div>
5252
</div>
5353
{% if grid_clear or not grid %}
54-
<div class=""></div>
54+
<div class=""></div>
5555
{% endif %}
5656
{% endwith %}
5757
{% endif %}
58-
58+
5959
<div class="container_12">
6060
{% for subtemplate in subtemplates_list %}
61-
<div class="grid_{{ subtemplate.grid|default:12 }}">
61+
<div class="grid_{{ subtemplate.grid|default:12 }}">
6262
{% with "true" as read_only %}
6363
{% render_subtemplate subtemplate.name subtemplate.context as rendered_subtemplate %}
6464
<div class="generic_subform">
@@ -67,10 +67,10 @@
6767
{% endwith %}
6868
</div>
6969
{% if subtemplate.grid_clear or not subtemplate.grid %}
70-
<div class="clear"></div>
70+
<div class="clear"></div>
7171
{% endif %}
7272
{% endfor %}
73-
</div>
74-
73+
</div>
74+
7575
{% endblock %}
7676

Diff for: apps/common/templates/generic_form.html

+4-4
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{% extends "base.html" %}
22
{% load subtemplates_tags %}
33

4-
{% block title %} :: {% with "true" as striptags %}{% include "calculate_form_title.html" %}{% endwith %}{% endblock %}
4+
{% block title %} :: {% include "calculate_form_title.html" %}{% endblock %}
55

66
{% block sidebar %}
77
{% for subtemplate in sidebar_subtemplates_list %}
@@ -25,10 +25,10 @@
2525
{% include "generic_form_subtemplate.html" %}
2626
</div>
2727
{% endif %}
28-
28+
2929
<div class="container_12">
3030
{% for subtemplate in subtemplates_list %}
31-
<div class="grid_{{ subtemplate.grid|default:12 }}">
31+
<div class="grid_{{ subtemplate.grid|default:12 }}">
3232
{% if subtemplate.form %}
3333
{% render_subtemplate subtemplate.name subtemplate.context as rendered_subtemplate %}
3434
<div class="generic_subform">
@@ -40,7 +40,7 @@
4040
{% endif %}
4141
</div>
4242
{% if subtemplate.grid_clear or not subtemplate.grid %}
43-
<div class="clear"></div>
43+
<div class="clear"></div>
4444
{% endif %}
4545
{% endfor %}
4646
</div>

Diff for: apps/common/templates/generic_list.html

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
{% load navigation_tags %}
44
{% load subtemplates_tags %}
55

6-
{% block title %} :: {% blocktrans with title|striptags as stripped_title %}List of {{ stripped_title }}{% endblocktrans %}{% endblock %}
6+
{% block title %} :: {% blocktrans with title as title %}List of {{ title }}{% endblocktrans %}{% endblock %}
77
{#{% block secondary_links %}{{ secondary_links|safe }}{% endblock %}#}
88

99
{% block sidebar %}

Diff for: apps/common/templates/generic_list_horizontal.html

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
{% load navigation_tags %}
44
{% load subtemplates_tags %}
55

6-
{% block title %} :: {% blocktrans with title|striptags as stripped_title %}List of {{ stripped_title }}{% endblocktrans %}{% endblock %}
6+
{% block title %} :: {% blocktrans with title as title %}List of {{ title }}{% endblocktrans %}{% endblock %}
77
{#{% block secondary_links %}{{ secondary_links|safe }}{% endblock %}#}
88

99
{% block sidebar %}

Diff for: apps/common/templates/generic_list_subtemplate.html

+18-18
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@ <h3>
1616
</h3>
1717
<div class="content">
1818
<p>
19-
{% else %}
20-
{% autopaginate object_list %}
19+
{% else %}
20+
{% autopaginate object_list %}
2121
<div class="content">
2222
<h2 class="title">
2323
{% ifnotequal page_obj.paginator.num_pages 1 %}
@@ -53,9 +53,9 @@ <h2 class="title">
5353
</button>
5454
</div>
5555
{% endif %}
56-
{% endif %}
57-
{% endif %}
58-
56+
{% endif %}
57+
{% endif %}
58+
5959
{% if scrollable_content %}
6060
<div style="border: 1px solid; height: {{ scrollable_content_height }}; overflow: auto;">
6161
{% endif %}
@@ -78,11 +78,11 @@ <h2 class="title">
7878

7979
{% for column in object_list.0|get_model_list_columns %}
8080
<th>{{ column.name|capfirst }}</th>
81-
{% endfor %}
81+
{% endfor %}
8282

8383
{% for column in extra_columns %}
8484
<th>{{ column.name|capfirst }}</th>
85-
{% endfor %}
85+
{% endfor %}
8686

8787
{% if not hide_links %}
8888
<th class="">&nbsp;</th>
@@ -91,7 +91,7 @@ <h2 class="title">
9191
{% endif %}
9292
{% for object in object_list %}
9393
<tr class="{% cycle 'odd' 'even2' %}">
94-
{% if multi_select or multi_select_as_buttons %}
94+
{% if multi_select or multi_select_as_buttons %}
9595
<td>
9696
{% if multi_select_item_properties %}
9797
<input type="checkbox" class="checkbox" name="properties_{{ object|get_encoded_parameter:multi_select_item_properties }}" value="" />
@@ -117,7 +117,7 @@ <h2 class="title">
117117
{% else %}
118118
<td>{{ object|object_property:column.attribute }}</td>
119119
{% endif %}
120-
{% endfor %}
120+
{% endfor %}
121121
{% if not hide_columns %}
122122
{% for column in object|get_model_list_columns %}
123123
<td>{{ object|object_property:column.attribute }}</td>
@@ -149,15 +149,15 @@ <h2 class="title">
149149
{% endif %}
150150
</tr>
151151
{% empty %}
152-
<tr><td colspan=99 class="tc">{% blocktrans with title|striptags as stripped_title %}There are no {{ stripped_title }}{% endblocktrans %}</td></tr>
152+
<tr><td colspan=99 class="tc">{% blocktrans with title as title %}There are no {{ title }}{% endblocktrans %}</td></tr>
153153
{% endfor %}
154154
</tbody>
155155
</table>
156-
156+
157157
{% if scrollable_content %}
158-
</div>
159-
{% endif %}
160-
158+
</div>
159+
{% endif %}
160+
161161
{% if object_list %}
162162
{% if multi_select or multi_select_as_buttons %}
163163
{% if multi_select_as_buttons %}
@@ -179,13 +179,13 @@ <h2 class="title">
179179
</button>
180180
</div>
181181
{% endif %}
182-
{% endif %}
183-
{% endif %}
182+
{% endif %}
183+
{% endif %}
184184
</form>
185185
{% paginate %}
186-
186+
187187
{% if side_bar %}
188188
</p>
189-
{% endif %}
189+
{% endif %}
190190
</div>
191191
</div>

0 commit comments

Comments
 (0)