Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom fields description allows arbitrary HTML tags #7612

Closed
tombe75 opened this issue Oct 22, 2021 · 2 comments
Closed

Custom fields description allows arbitrary HTML tags #7612

tombe75 opened this issue Oct 22, 2021 · 2 comments
Assignees
@jeremystretch
Labels
status: accepted This issue has been accepted for implementation type: bug A confirmed report of unexpected behavior in the application

Comments

@tombe75
Copy link

tombe75 commented Oct 22, 2021
edited by jeremystretch
Loading

NetBox version

v3.0.8

Python version

3.8

Steps to Reproduce

  1. Add new Custom Field
  2. Set description with a HTML tag, e.g. A<h1>B</h1>C
  3. Assign to arbitrary model, e.g. circuit.
  4. Create a new object of selected model, circuit in this case.
  5. Check Custom Fields section when editing new object.

Expected Behavior

Since custom field creation is moved from admin page and could be available to normal users, I expect it to be sanitized from pure HTML.
(If some customization is needed this could be replaced with Markdown)

Observed Behavior

HTML tags gets evaluated.
bild
@tombe75 tombe75 added the type: bug A confirmed report of unexpected behavior in the application label Oct 22, 2021
@jeremystretch jeremystretch added the status: accepted This issue has been accepted for implementation label Oct 27, 2021
@jeremystretch jeremystretch self-assigned this Oct 27, 2021
@kkthxbye-code
Copy link
Contributor

kkthxbye-code commented Oct 27, 2021
edited
Loading

@jeremystretch - I think this solution is incomplete. Instead of strip_tags you should use the escape function from django.utils.html

Otherwise you can still mess up the HTML on the page with something like this:

"><iframe src=httpbin.org

As a sidenote, in cases like these where the fix is not part of a release yet, do you want a new issue, or a comment in the existing issue like this?

@jeremystretch jeremystretch reopened this Oct 28, 2021
jeremystretch added a commit that referenced this issue Nov 3, 2021
@jeremystretch
#7612: Use escape() rather than strip_tags()
7614f42
@jeremystretch
Copy link
Member

As a sidenote, in cases like these where the fix is not part of a release yet, do you want a new issue, or a comment in the existing issue like this?

A follow-up comment is usually fine provided it's a minor adjustment and the change hasn't made it into a release yet. Thanks!

@jeremystretch jeremystretch mentioned this issue Nov 3, 2021
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jeremystretch jeremystretch

Labels
status: accepted This issue has been accepted for implementation type: bug A confirmed report of unexpected behavior in the application
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kkthxbye-code @jeremystretch @tombe75