mirror/netbox-community-netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2024-05-10 07:54:54 +00:00
Code Activity

Fixed the XSS protection code inside custom fields

Browse Source
This commit is contained in:
Osamu-kj
2022-08-06 15:10:31 +02:00
parent f874e9932d
commit db38ed4f19
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
netbox/netbox/tables/columns.py
View File

@ -1,5 +1,4 @@
from dataclasses import dataclass from dataclasses import dataclass
from glob import escape
from typing import Optional from typing import Optional
import django_tables2 as tables import django_tables2 as tables
@ -8,6 +7,7 @@ from django.contrib.auth.models import AnonymousUser
from django.db.models import DateField, DateTimeField from django.db.models import DateField, DateTimeField
from django.template import Context, Template from django.template import Context, Template
from django.urls import reverse from django.urls import reverse
from django.utils.html import escape
from django.utils.formats import date_format from django.utils.formats import date_format
from django.utils.safestring import mark_safe from django.utils.safestring import mark_safe
from django_tables2.columns import library from django_tables2.columns import library
@ -430,25 +430,28 @@ class CustomFieldColumn(tables.Column):
def _likify_item(item): def _likify_item(item):
if hasattr(item, 'get_absolute_url'): if hasattr(item, 'get_absolute_url'):
return f'<a href="{item.get_absolute_url()}">{item}</a>' return f'<a href="{item.get_absolute_url()}">{item}</a>'
return item return escape(item)
def render(self, value): def render(self, value):
if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is True: if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is True:
return escape('<i class="mdi mdi-check-bold text-success"></i>') return mark_safe('<i class="mdi mdi-check-bold text-success"></i>')
if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is False: if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is False:
return escape('<i class="mdi mdi-close-thick text-danger"></i>') return mark_safe('<i class="mdi mdi-close-thick text-danger"></i>')
if self.customfield.type == CustomFieldTypeChoices.TYPE_URL: if self.customfield.type == CustomFieldTypeChoices.TYPE_URL:
return escape(f'<a href="{value}">{value}</a>') return mark_safe(f'<a href="{escape(value)}">{escape(value)}</a>')
if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTISELECT: if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTISELECT:
return ', '.join(v for v in value) return ', '.join(v for v in value)
if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTIOBJECT: if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTIOBJECT:
return escape(', '.join([ print (mark_safe(', '.join([
self._likify_item(obj) for obj in self.customfield.deserialize(value)
])))
return mark_safe(', '.join([
self._likify_item(obj) for obj in self.customfield.deserialize(value) self._likify_item(obj) for obj in self.customfield.deserialize(value)
])) ]))
if value is not None: if value is not None:
obj = self.customfield.deserialize(value) obj = self.customfield.deserialize(value)
return escape(self._likify_item(obj)) return mark_safe(self._likify_item(obj))
return escape(self.default) return self.default
def value(self, value): def value(self, value):
if isinstance(value, list): if isinstance(value, list):