fix: ticket xss inject

pull/9903/head
feng 2022-12-12 16:09:58 +08:00 committed by Jiangjie.Bai
parent 5b35e99866
commit b5b7cd7693
1 changed files with 12 additions and 2 deletions

View File

@ -1,3 +1,5 @@
from html import escape
from django.utils.translation import ugettext as _
from django.template.loader import render_to_string
@ -42,7 +44,7 @@ class BaseHandler:
def _on_step_rejected(self, step):
self._send_processed_mail_to_applicant(step)
def _on_step_closed(self, step):
def _on_step_closed(self):
self._send_processed_mail_to_applicant()
def _send_applied_mail_to_assignees(self, step=None):
@ -96,11 +98,19 @@ class BaseHandler:
approve_info = _('{} {} the ticket').format(user_display, state_display)
context = self._diff_prev_approve_context(state)
context.update({'approve_info': approve_info})
body = self.reject_html_script(
render_to_string('tickets/ticket_approve_diff.html', context)
)
data = {
'body': render_to_string('tickets/ticket_approve_diff.html', context),
'body': body,
'user': user,
'user_display': str(user),
'type': 'state',
'state': state
}
return self.ticket.comments.create(**data)
@staticmethod
def reject_html_script(unsafe_html):
safe_html = escape(unsafe_html)
return safe_html