diff --git a/docker/app.Dockerfile b/docker/app.Dockerfile
index fba65eee7..5d67868c9 100644
--- a/docker/app.Dockerfile
+++ b/docker/app.Dockerfile
@@ -38,6 +38,7 @@ RUN apt-get install -qy \
less \
libmagic-dev \
libmariadb-dev \
+ libtidy-dev \
locales \
mariadb-client \
netcat \
diff --git a/ietf/doc/utils.py b/ietf/doc/utils.py
index d266cdbf9..b6af654ef 100644
--- a/ietf/doc/utils.py
+++ b/ietf/doc/utils.py
@@ -363,7 +363,7 @@ def add_links_in_new_revision_events(doc, events, diff_revisions):
links += ""
if prev != None:
- links += ' (diff from previous)' % (settings.RFCDIFF_BASE_URL, quote(prev, safe="~"), quote(diff_url, safe="~"))
+ links += ' (diff from previous)' % (settings.RFCDIFF_BASE_URL, quote(prev, safe="~"), quote(diff_url, safe="~"))
# replace the bold filename part
e.desc = re.sub(r"(.+-[0-9][0-9].txt)", links, e.desc)
@@ -1087,7 +1087,7 @@ def build_doc_supermeta_block(doc):
items.append(f'[WG]')
items.append(f'[Email]')
if doc.rev != "00":
- items.append(f'[Diff1]')
+ items.append(f'[Diff1]')
items.append(f'[Diff2]')
items.append(f'[Nits]')
@@ -1321,4 +1321,4 @@ def fuzzy_find_documents(name, rev=None):
rev = None # found a doc by name with rev = None, so update that
FoundDocuments = namedtuple('FoundDocuments', 'documents matched_name matched_rev')
- return FoundDocuments(docs, name, rev)
+ return FoundDocuments(docs, name, rev)
\ No newline at end of file
diff --git a/ietf/doc/views_ballot.py b/ietf/doc/views_ballot.py
index be9223b78..6841e07f5 100644
--- a/ietf/doc/views_ballot.py
+++ b/ietf/doc/views_ballot.py
@@ -14,7 +14,7 @@ from django.template.defaultfilters import striptags
from django.template.loader import render_to_string
from django.urls import reverse as urlreverse
from django.views.decorators.csrf import csrf_exempt
-
+from django.utils.html import escape
import debug # pyflakes:ignore
@@ -527,7 +527,7 @@ def lastcalltext(request, name):
if not existing:
existing = generate_last_call_announcement(request, doc)
- form = LastCallTextForm(initial=dict(last_call_text=existing.text))
+ form = LastCallTextForm(initial=dict(last_call_text=escape(existing.text)))
if request.method == 'POST':
if "save_last_call_text" in request.POST or "send_last_call_request" in request.POST:
@@ -612,7 +612,7 @@ def ballot_writeupnotes(request, name):
if not existing:
existing = generate_ballot_writeup(request, doc)
- form = BallotWriteupForm(initial=dict(ballot_writeup=existing.text))
+ form = BallotWriteupForm(initial=dict(ballot_writeup=escape(existing.text)))
if request.method == 'POST' and "save_ballot_writeup" in request.POST or "issue_ballot" in request.POST:
form = BallotWriteupForm(request.POST)
@@ -727,7 +727,7 @@ def ballot_rfceditornote(request, name):
if not existing or (existing.text == ""):
existing = generate_ballot_rfceditornote(request, doc)
- form = BallotRfcEditorNoteForm(auto_id=False, initial=dict(rfc_editor_note=existing.text))
+ form = BallotRfcEditorNoteForm(auto_id=False, initial=dict(rfc_editor_note=escape(existing.text)))
if request.method == 'POST' and "save_ballot_rfceditornote" in request.POST:
form = BallotRfcEditorNoteForm(request.POST)
@@ -791,7 +791,7 @@ def ballot_approvaltext(request, name):
if not existing:
existing = generate_approval_mail(request, doc)
- form = ApprovalTextForm(initial=dict(approval_text=existing.text))
+ form = ApprovalTextForm(initial=dict(approval_text=escape(existing.text)))
if request.method == 'POST':
if "save_approval_text" in request.POST:
@@ -1206,4 +1206,4 @@ def irsg_ballot_status(request):
docs.append(doc)
- return render(request, 'doc/irsg_ballot_status.html', {'docs':docs})
+ return render(request, 'doc/irsg_ballot_status.html', {'docs':docs})
\ No newline at end of file
diff --git a/ietf/doc/views_bofreq.py b/ietf/doc/views_bofreq.py
index 28b549537..8ce066670 100644
--- a/ietf/doc/views_bofreq.py
+++ b/ietf/doc/views_bofreq.py
@@ -10,7 +10,7 @@ from django.contrib.auth.decorators import login_required
from django.shortcuts import get_object_or_404, redirect, render
from django.template.loader import render_to_string
from django.urls import reverse as urlreverse
-
+from django.utils.html import escape
from ietf.doc.mails import (email_bofreq_title_changed, email_bofreq_editors_changed,
email_bofreq_new_revision, email_bofreq_responsible_changed)
@@ -172,7 +172,7 @@ def new_bof_request(request):
return redirect('ietf.doc.views_doc.document_main', name=bofreq.name)
else:
- init = {'bofreq_content':render_to_string('doc/bofreq/bofreq_template.md',{}),
+ init = {'bofreq_content':escape(render_to_string('doc/bofreq/bofreq_template.md',{})),
'bofreq_submission':'enter',
}
form = NewBofreqForm(initial=init)
diff --git a/ietf/doc/views_charter.py b/ietf/doc/views_charter.py
index 447c72889..29cfa7f8e 100644
--- a/ietf/doc/views_charter.py
+++ b/ietf/doc/views_charter.py
@@ -17,6 +17,7 @@ from django.conf import settings
from django.contrib import messages
from django.contrib.auth.decorators import login_required
from django.utils.encoding import force_text
+from django.utils.html import escape
import debug # pyflakes:ignore
@@ -507,7 +508,7 @@ def review_announcement_text(request, name):
existing_new_work.text = derive_new_work_text(existing.text,group)
existing_new_work.time = datetime.datetime.now()
- form = ReviewAnnouncementTextForm(initial=dict(announcement_text=existing.text,new_work_text=existing_new_work.text))
+ form = ReviewAnnouncementTextForm(initial=dict(announcement_text=escape(existing.text),new_work_text=escape(existing_new_work.text)))
if request.method == 'POST':
form = ReviewAnnouncementTextForm(request.POST)
@@ -588,7 +589,7 @@ def action_announcement_text(request, name):
if not existing:
raise Http404
- form = ActionAnnouncementTextForm(initial=dict(announcement_text=existing.text))
+ form = ActionAnnouncementTextForm(initial=dict(announcement_text=escape(existing.text)))
if request.method == 'POST':
form = ActionAnnouncementTextForm(request.POST)
@@ -650,7 +651,7 @@ def ballot_writeupnotes(request, name):
reissue = charter.latest_event(DocEvent, type="sent_ballot_announcement")
- form = BallotWriteupForm(initial=dict(ballot_writeup=existing.text))
+ form = BallotWriteupForm(initial=dict(ballot_writeup=escape(existing.text)))
if request.method == 'POST' and ("save_ballot_writeup" in request.POST or "send_ballot" in request.POST):
form = BallotWriteupForm(request.POST)
@@ -802,7 +803,7 @@ def approve(request, name):
return render(request, 'doc/charter/approve.html',
dict(charter=charter,
- announcement=announcement))
+ announcement=escape(announcement)))
def charter_with_milestones_txt(request, name, rev):
charter = get_object_or_404(Document, type="charter", docalias__name=name)
@@ -833,4 +834,4 @@ def charter_with_milestones_txt(request, name, rev):
return render(request, 'doc/charter/charter_with_milestones.txt',
dict(charter_text=charter_text,
milestones=milestones),
- content_type="text/plain; charset=%s"%settings.DEFAULT_CHARSET)
+ content_type="text/plain; charset=%s"%settings.DEFAULT_CHARSET)
\ No newline at end of file
diff --git a/ietf/doc/views_conflict_review.py b/ietf/doc/views_conflict_review.py
index 85a5a9a72..e42c13872 100644
--- a/ietf/doc/views_conflict_review.py
+++ b/ietf/doc/views_conflict_review.py
@@ -12,6 +12,7 @@ from django.http import HttpResponseRedirect, Http404
from django.urls import reverse
from django.template.loader import render_to_string
from django.conf import settings
+from django.utils.html import escape
import debug # pyflakes:ignore
@@ -215,7 +216,7 @@ def submit(request, name):
elif "reset_text" in request.POST:
- init = { "content": render_to_string("doc/conflict_review/review_choices.txt",dict())}
+ init = { "content": escape(render_to_string("doc/conflict_review/review_choices.txt",dict()))}
form = UploadForm(initial=init)
# Protect against handcrufted malicious posts
@@ -229,9 +230,9 @@ def submit(request, name):
init = { "content": ""}
if not_uploaded_yet:
- init["content"] = render_to_string("doc/conflict_review/review_choices.txt",
+ init["content"] = escape(render_to_string("doc/conflict_review/review_choices.txt",
dict(),
- )
+ ))
else:
filename = os.path.join(settings.CONFLICT_REVIEW_PATH, '%s-%s.txt' % (review.canonical_name(), review.rev))
try:
@@ -358,7 +359,7 @@ def approve_conflict_review(request, name):
else:
- init = { "announcement_text" : default_approval_text(review) }
+ init = { "announcement_text" : escape(default_approval_text(review)) }
form = AnnouncementForm(initial=init)
return render(request, 'doc/conflict_review/approve.html',
@@ -522,4 +523,4 @@ def start_review_as_stream_owner(request, name):
{'form': form,
'doc_to_review': doc_to_review,
},
- )
+ )
\ No newline at end of file
diff --git a/ietf/doc/views_status_change.py b/ietf/doc/views_status_change.py
index eb1d93e12..2484d8645 100644
--- a/ietf/doc/views_status_change.py
+++ b/ietf/doc/views_status_change.py
@@ -16,6 +16,7 @@ from django.urls import reverse
from django.template.loader import render_to_string
from django.conf import settings
from django.utils.encoding import force_text
+from django.utils.html import escape
import debug # pyflakes:ignore
from ietf.doc.mails import email_ad_approved_status_change
@@ -396,7 +397,7 @@ def approve(request, name):
init = []
for rel in status_change.relateddocument_set.filter(relationship__slug__in=STATUSCHANGE_RELATIONS):
- init.append({"announcement_text" : default_approval_text(status_change,rel),
+ init.append({"announcement_text" : escape(default_approval_text(status_change,rel)),
"label": "Announcement text for %s to %s"%(rel.target.document.canonical_name(),newstatus(rel)),
})
formset = AnnouncementFormSet(initial=init)
@@ -674,7 +675,7 @@ def last_call(request, name):
if not last_call_event:
last_call_event = generate_last_call_text(request, status_change)
- form = LastCallTextForm(initial=dict(last_call_text=last_call_event.text))
+ form = LastCallTextForm(initial=dict(last_call_text=escape(last_call_event.text)))
if request.method == 'POST':
if "save_last_call_text" in request.POST or "send_last_call_request" in request.POST:
@@ -724,4 +725,4 @@ def last_call(request, name):
last_call_form = form,
),
)
-
+
\ No newline at end of file
diff --git a/ietf/secr/meetings/tests.py b/ietf/secr/meetings/tests.py
index 5c440802b..c6576a0cc 100644
--- a/ietf/secr/meetings/tests.py
+++ b/ietf/secr/meetings/tests.py
@@ -244,7 +244,7 @@ class SecrMeetingTestCase(TestCase):
response = self.client.get(url)
self.assertEqual(response.status_code, 200)
q = PyQuery(response.content)
- self.assertEqual(len(q("#id_rooms_table tr input[type='checkbox']")),meeting.room_set.count())
+ self.assertEqual(len(q("#id_rooms_table tr input[type='checkbox']")),meeting.room_set.count()+1)
# test delete
# first unschedule sessions so we can delete
@@ -441,4 +441,4 @@ class SecrMeetingTestCase(TestCase):
times = get_times(meeting,day)
values = [ x[0] for x in times ]
self.assertTrue(times)
- self.assertTrue(timeslot.time.strftime('%H%M') in values)
+ self.assertTrue(timeslot.time.strftime('%H%M') in values)
\ No newline at end of file
diff --git a/ietf/secr/templates/base_secr.html b/ietf/secr/templates/base_secr.html
index 95d16f0db..d4ba1fa5d 100644
--- a/ietf/secr/templates/base_secr.html
+++ b/ietf/secr/templates/base_secr.html
@@ -52,17 +52,11 @@
{% endif %}
- {% comment %}
-
-
-
- {% endcomment %}
-
{% if messages %}
{% for message in messages %}
- {{ message }}
+ - {{ message }}
{% endfor %}
{% endif %}
@@ -83,6 +77,5 @@
{% block footer %}{% endblock %}
-