Skip to content
Permalink
Browse files Browse the repository at this point in the history
Reports: clean malicius content from the HTML and CSV exporters
  • Loading branch information
chessbr committed Jul 7, 2021
1 parent 32b7811 commit 0a2db39
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 5 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Expand Up @@ -14,6 +14,7 @@ List all changes after the last release here (newer on top). Each change on a se

### Changed

- Reports: clean malicius content from the HTML and CSV exporters
- Reports: prevent formulas from being exported in excel writer
- Tests: log errors into a log file
- Admin: hide email template button based on permission
Expand Down
18 changes: 13 additions & 5 deletions shuup/reports/writer.py
Expand Up @@ -5,6 +5,7 @@
#
# This source code is licensed under the OSL-3.0 license found in the
# LICENSE file in the root directory of this source tree.
import bleach
import csv
import six
from babel.dates import format_datetime
Expand Down Expand Up @@ -154,6 +155,13 @@ def format_data(data, format_iso_dates=False, format_money_values=False):
return data


def remove_unsafe_chars(data):
if isinstance(data, str):
return "".join([char for char in data if char not in ("=", "+", "-")])

return data


class CSVReportWriter(ReportWriter):
content_type = "text/csv"
extension = ".csv"
Expand All @@ -170,12 +178,12 @@ def write_data_table(self, report, report_data, has_totals=True):
self.data.append([c["title"] for c in report.schema])
for datum in report_data:
datum = report.read_datum(datum)
self.data.append([format_data(data, format_iso_dates=True) for data in datum])
self.data.append([format_data(remove_unsafe_chars(data), format_iso_dates=True) for data in datum])

if has_totals:
for datum in report.get_totals(report_data):
datum = report.read_datum(datum)
self.data.append([format_data(data) for data in datum])
self.data.append([format_data(remove_unsafe_chars(data)) for data in datum])

def get_rendered_output(self):
f = StringIO()
Expand Down Expand Up @@ -206,13 +214,13 @@ def write_data_table(self, report, report_data, has_totals=True):
self.worksheet.append([c["title"] for c in report.schema])
for datum in report_data:
datum = report.read_datum(datum)
self.worksheet.append([format_data(data) for data in datum])
self.worksheet.append([format_data(remove_unsafe_chars(data)) for data in datum])
self._convert_row_to_string()

if has_totals:
for datum in report.get_totals(report_data):
datum = report.read_datum(datum)
self.worksheet.append([format_data(data) for data in datum])
self.worksheet.append([format_data(remove_unsafe_chars(data)) for data in datum])
self._convert_row_to_string()

def write_page_heading(self, text):
Expand Down Expand Up @@ -264,7 +272,7 @@ def _w_raw(self, content):
self.output.append(mark_safe(content))

def _w(self, content):
self.output.append(format_data(content, format_money_values=True))
self.output.append(bleach.clean(str(format_data(content, format_money_values=True)), strip=True))

def _w_tag(self, tag, content):
self._w_raw("<%s>" % tag)
Expand Down

0 comments on commit 0a2db39

Please sign in to comment.