Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize rendered custom link HTML #12205

Closed
jeremystretch opened this issue Apr 7, 2023 · 4 comments
Closed

Sanitize rendered custom link HTML #12205

jeremystretch opened this issue Apr 7, 2023 · 4 comments
Assignees
@jeremystretch
Labels
status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application

Comments

@jeremystretch
Copy link
Member

NetBox version

v3.4.7

Feature type

Change to existing functionality

Proposed functionality

Custom links enable users to craft customized buttons in the UI relevant to particular objects. Both the link URL and text can be rendered from a Jinja2 template.

This FR proposes sanitizing the rendered URL and text to guard against potentially malicious content. We should be able to utilize the clean_html() utility function already in place for this purpose. The sanitization would occur after either piece of content has been fully rendered by the Jinja2 engine.

Use case

Ensures well-formed content and mitigates the risk of users crafting malicious links.

Database changes

No response

External dependencies

No response
@jeremystretch jeremystretch added type: feature Introduction of new functionality to the application status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation labels Apr 7, 2023
@jeremystretch jeremystretch changed the title Sanitize render custom link HTML Sanitize rendered custom link HTML Apr 7, 2023
@jeremystretch jeremystretch added status: accepted This issue has been accepted for implementation and removed status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation labels Apr 10, 2023
@jeremystretch jeremystretch self-assigned this Apr 10, 2023
@jeremystretch
Copy link
Member Author

Thanks @x64x6a for implementing this in 89fa546!

jeremystretch added a commit that referenced this issue Apr 21, 2023
@jeremystretch
Changelog for #11383, #12205, #12226, #12255
390619c
@jeremystretch jeremystretch mentioned this issue Apr 26, 2023
Merged
@x64x6a
Copy link
Contributor

x64x6a commented Apr 26, 2023

Sorry, but I just noticed that my commit has a bug that encodes '%' and '=', so links with GET parameters or URL encoded values would be failing.

I believe this line - 89fa546#diff-7cd550a7e9a8bf633ee98ba17fdb140a64186bf257070850a6edc93e09b00004R282

        link = urllib.parse.quote_plus(link, safe='/:?&')

Would need to add '%=' to safe in order for them to be ignored so they are not encoded:

        link = urllib.parse.quote_plus(link, safe='/:?&%=')

@x64x6a
Copy link
Contributor

x64x6a commented Apr 26, 2023

Should we create a separate issue to resolve that issue or re-open this ticket?
I created a fork of the change - 032d4e1

@jeremystretch
Copy link
Member Author

@x64x6a thanks for catching that. I've opened #12355 to track this if you'd like to submit a PR from your fork.

@tux-mania tux-mania mentioned this issue May 24, 2023
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jeremystretch jeremystretch

Labels
status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@x64x6a @jeremystretch