Merge branch 'regressionfix/xss-issues' into staging/bugfix

OctoPrint · Nov 4, 2024 · b8a6b0a · b8a6b0a
2 parents 104ccfd + 8c569bc
commit b8a6b0a
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 26 deletions.
diff --git a/src/octoprint/plugins/appkeys/__init__.py b/src/octoprint/plugins/appkeys/__init__.py
@@ -260,7 +260,7 @@ def handle_auth_dialog(self, app_token):
                 theming=[],
                 request_text=gettext(
                     '"<strong>%(app)s</strong>" has requested access to control OctoPrint through the API.'
-                ).replace("%(app)s", app_id),
+                ),
             )
         )
         return add_csrf_cookie(add_non_caching_response_headers(response))

diff --git a/src/octoprint/plugins/appkeys/templates/appkeys_authdialog.jinja2 b/src/octoprint/plugins/appkeys/templates/appkeys_authdialog.jinja2
@@ -18,7 +18,7 @@
     <link rel="stylesheet" href="{{ url_for('plugin.appkeys.static', filename='css/authdialog.css') }}">
 
     {% for url in theming %}
-        <link rel="stylesheet" href="{{ url }}">
+        <link rel="stylesheet" href="{{ url|e }}">
     {% endfor %}
 
     <!-- le javascript -->
@@ -45,8 +45,8 @@
         <form id="auth-choice" class="form-auth">
             <h2 class="form-auth-heading" data-test-id="login-title">{{ _('Access Request') }}</h2>
 
-            <p>{% trans %}Hello {{ user }}!{% endtrans %}</p>
-            <p>{{ request_text }}</p>
+            <p>{{ _("Hello %(user)s!", user=user|e) }}</p>
+            <p>{{ request_text | format(app=app|e) }}</p>
             <p>{% trans %}
                 Do you want to allow access to this application with your user account?
             {% endtrans %}</p>

diff --git a/src/octoprint/plugins/discovery/templates/discovery.xml.jinja2 b/src/octoprint/plugins/discovery/templates/discovery.xml.jinja2
@@ -1,3 +1,4 @@
+{%- autoescape true -%}
 <?xml version="1.0"?>
 <root xmlns="urn:schemas-upnp-org:device-1-0">
     <specVersion>
@@ -20,3 +21,4 @@
         <presentationURL>{{ presentationUrl }}</presentationURL>
     </device>
 </root>
+{%- endautoescape -%}
diff --git a/src/octoprint/plugins/pluginmanager/templates/pluginmanager_about.jinja2 b/src/octoprint/plugins/pluginmanager/templates/pluginmanager_about.jinja2
@@ -2,7 +2,7 @@
 
 <ul>
     {% for plugin in plugin_pluginmanager_thirdparty %}
-        <li>{% if plugin.url %}<a href="{{ plugin.url }}" target="_blank" rel="noreferrer noopener">{% endif %}{{ plugin.name }}{% if plugin.url %}</a>{% endif %}: {% if plugin.license %}{{ plugin.license }}{% else %}-{% endif %}</li>
+        <li>{% if plugin.url %}<a href="{{ plugin.url|e }}" target="_blank" rel="noreferrer noopener">{% endif %}{{ plugin.name|e }}{% if plugin.url %}</a>{% endif %}: {% if plugin.license %}{{ plugin.license|e }}{% else %}-{% endif %}</li>
     {% endfor %}
 </ul>
 
@@ -11,7 +11,7 @@
 
     {% for key in templates.plugin_pluginmanager_about_thirdparty.order %}
         {% set heading, config = templates.plugin_pluginmanager_about_thirdparty.entries[key] %}
-        <h4>{{ heading }}</h4>
+        <h4>{{ heading|e }}</h4>
 
         {% include config.template ignore missing %}
     {% endfor %}

diff --git a/src/octoprint/templates/dialogs/about/about.jinja2 b/src/octoprint/templates/dialogs/about/about.jinja2
@@ -2,7 +2,7 @@
 
 <h4>{{ _('The snappy web interface for your 3D printer') }}</h4>
 
-<p>Version <span class="version">{{ display_version }}</span></p>
+<p>Version <span class="version">{{ display_version|e }}</span></p>
 
 <ul class="fa-ul">
     <li><i class="fa-li fas fa-home"></i> Website: <a href="https://octoprint.org" target="_blank" rel="noreferrer noopener">octoprint.org</a></li>

diff --git a/src/octoprint/templates/login.jinja2 b/src/octoprint/templates/login.jinja2
@@ -83,7 +83,7 @@
                 {{ _('An account with the following permissions is required:') }} {{ permission_names|join(", ") }}
             </p>{% endif %}
 
-            <input type="text" id="login-user" data-test-id="login-username" class="input-block-level" placeholder="{{ _('Username')|edq }}" {% if user_id %}value="{{ user_id|edq }}" disabled{% endif %} autofocus autocapitalize="none">
+            <input type="text" id="login-user" data-test-id="login-username" class="input-block-level" placeholder="{{ _('Username')|edq }}" {% if user_id %}value="{{ user_id|e }}" disabled{% endif %} autofocus autocapitalize="none">
             <input type="password" id="login-password" data-test-id="login-password" class="input-block-level" placeholder="{{ _('Password')|edq }}">
             {% if not reauthenticate %}
             <span class="pull-right"><small><a href="https://faq.octoprint.org/forgotten-password" id="login-forgotpassword" target="_blank" tabindex="-1">{{ _('Forgot password?') }}</a></small></span>

diff --git a/src/octoprint/templates/recovery.jinja2 b/src/octoprint/templates/recovery.jinja2
@@ -18,7 +18,7 @@
     <link rel="stylesheet" href="{{ url_for("static", filename="css/recovery.css") }}">
 
     {% for url in theming %}
-        <link rel="stylesheet" href="{{ url }}">
+        <link rel="stylesheet" href="{{ url|e }}">
     {% endfor %}
 
     <!-- le javascript -->

diff --git a/src/octoprint/templates/reverse_proxy_test.jinja2 b/src/octoprint/templates/reverse_proxy_test.jinja2
@@ -17,20 +17,20 @@
     <link rel="stylesheet" href="{{ url_for("static", filename="vendor/font-awesome-5.15.1/css/v4-shims.min") }}">
 
     {% for url in theming %}
-        <link rel="stylesheet" href="{{ url }}">
+        <link rel="stylesheet" href="{{ url|e }}">
     {% endfor %}
 
     <!-- le javascript -->
 
     <script>
         var BASE_URL = "{{ url_for('index') }}";
 
-        var CLIENT_IP = "{{ client_ip }}";
-        var SERVER_PROTOCOL = "{{ server_protocol }}";
-        var SERVER_NAME = "{{ server_name }}";
-        var SERVER_PORT = {{ server_port }};
-        var SERVER_PATH = "{{ server_path }}";
-        var COOKIE_SUFFIX = "{{ cookie_suffix }}";
+        var CLIENT_IP = "{{ client_ip|e }}";
+        var SERVER_PROTOCOL = "{{ server_protocol|e }}";
+        var SERVER_NAME = "{{ server_name|e }}";
+        var SERVER_PORT = {{ server_port|e }};
+        var SERVER_PATH = "{{ server_path|e }}";
+        var COOKIE_SUFFIX = "{{ cookie_suffix|e }}";
     </script>
     <script src="{{ url_for("static", filename="js/lib/jquery/jquery.min.js") }}"></script>
     <script src="{{ url_for("static", filename="js/lib/knockout.js") }}"></script>
@@ -85,37 +85,37 @@
                 <td>Client IP</td>
                 <td><code>X-Forwarded-For</code></td>
                 <td>-</td>
-                <td>{{ client_ip }}</td>
+                <td>{{ client_ip|e }}</td>
             </tr>
             <tr data-bind="css: { success: serverProtocolMatch, error: !serverProtocolMatch }">
                 <td>Protocol</td>
                 <td><code>X-Forwarded-Protocol</code>, <code>X-Scheme</code> or config</td>
                 <td data-bind="text: serverProtocol"></td>
-                <td>{{ server_protocol }}</td>
+                <td>{{ server_protocol|e }}</td>
             </tr>
             <tr data-bind="css: { success: serverNameMatch, error: !serverNameMatch }">
                 <td>Host</td>
                 <td><code>X-Forwarded-Host</code>, <code>Host</code>, <code>X-Forwarded-Server</code> or config</td>
                 <td data-bind="text: serverName"></td>
-                <td>{{ server_name }}</td>
+                <td>{{ server_name|e }}</td>
             </tr>
             <tr data-bind="css: { success: serverPortMatch, error: !serverPortMatch }">
                 <td>Port</td>
                 <td><code>X-Forwarded-Host</code>, <code>Host</code>, <code>X-Forwarded-Port</code>, <code>X-Forwarded-Protocol</code>, <code>X-Scheme</code> or config</td>
                 <td data-bind="text: serverPort"></td>
-                <td>{{ server_port }}</td>
+                <td>{{ server_port|e }}</td>
             </tr>
             <tr data-bind="css: { success: serverPathMatch, error: !serverPathMatch }">
                 <td>Path</td>
                 <td><code>X-Script-Name</code> or config</td>
                 <td data-bind="text: serverPath"></td>
-                <td>{{ server_path }}</td>
+                <td>{{ server_path|e }}</td>
             </tr>
             <tr data-bind="css: { success: cookieSuffixMatch, error: !cookieSuffixMatch }">
                 <td>Cookie Suffix</td>
                 <td>Built from port & path</td>
                 <td data-bind="text: cookieSuffix"></td>
-                <td>{{ cookie_suffix }}</td>
+                <td>{{ cookie_suffix|e }}</td>
             </tr>
         </table>
 
@@ -126,20 +126,20 @@
 
             <ul>
                 {% for key, value in headers.items() %}
-                    <li><code>{{ key }}</code>: <code>{{ value }}</code></li>
+                    <li><code>{{ key|e }}</code>: <code>{{ value|e }}</code></li>
                 {% endfor %}
             </ul>
 
             <p>
-                Your server side Client IP was determined to be {{ client_ip }}. Your <code>X-Forwarded-For</code> header
-                {% if headers["X-Forwarded-For"] %} (<code>{{ headers["X-Forwarded-For"] }}</code>){% endif %} might
+                Your server side Client IP was determined to be {{ client_ip|e }}. Your <code>X-Forwarded-For</code> header
+                {% if headers["X-Forwarded-For"] %} (<code>{{ headers["X-Forwarded-For"]|e }}</code>){% endif %} might
                 have influenced that. Make sure that this is the IP that OctoPrint should be seeing. It will be the right most
                 IP in the <code>X-Forwarded-For</code> header that is not among your <strong>configured trusted downstreams</strong>:
             </p>
 
             <ul>
                 {% for host in trusted_proxies %}
-                    <li><code>{{ host }}</code></li>
+                    <li><code>{{ host|e }}</code></li>
                 {% endfor %}
             </ul>
         {% else %}