From 305935967e85f1ae153cd452e16923ad2df69eaf Mon Sep 17 00:00:00 2001 From: feng <1304903146@qq.com> Date: Mon, 12 Dec 2022 16:09:58 +0800 Subject: [PATCH] fix: ticket xss inject --- apps/tickets/handlers/base.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/apps/tickets/handlers/base.py b/apps/tickets/handlers/base.py index 81341ce8e..54713750e 100644 --- a/apps/tickets/handlers/base.py +++ b/apps/tickets/handlers/base.py @@ -1,3 +1,5 @@ +from html import escape + from django.utils.translation import ugettext as _ from django.template.loader import render_to_string @@ -96,11 +98,19 @@ class BaseHandler: approve_info = _('{} {} the ticket').format(user_display, state_display) context = self._diff_prev_approve_context(state) context.update({'approve_info': approve_info}) + body = self.reject_html_script( + render_to_string('tickets/ticket_approve_diff.html', context) + ) data = { - 'body': render_to_string('tickets/ticket_approve_diff.html', context), + 'body': body, 'user': user, 'user_display': str(user), 'type': 'state', 'state': state } return self.ticket.comments.create(**data) + + @staticmethod + def reject_html_script(unsafe_html): + safe_html = escape(unsafe_html) + return safe_html