Included django.utils.html.escape() in the linkify() code, and removed it from various templates, to make sure escape is consistently applied before linkify. Fixes issue #2492.

- Legacy-Id: 15035
2018-04-09 16:36:07 +00:00 · 2018-04-09 16:36:07 +00:00 · ab8e73aca5
parent b5d62973c7
commit ab8e73aca5
8 changed files with 11 additions and 10 deletions
--- a/ietf/templates/doc/document_ballot_content.html
+++ b/ietf/templates/doc/document_ballot_content.html
@ -93,7 +93,7 @@
            <div class="panel-heading">
              <h5 class="panel-title"><b>{{ p.pos.name }}</b> ({{ p.discuss_time|date:"Y-m-d" }}{% if not p.for_current_revision %} for -{{ p.get_dochistory.rev}}{% endif %})</h5>
            </div>
-            <div class="panel-body"><pre class="ballot pasted">{{ p.discuss|escape|linkify }}</pre></div>
+            <div class="panel-body"><pre class="ballot pasted">{{ p.discuss|linkify }}</pre></div>
          </div>
        {% endif %}

@ -102,7 +102,7 @@
            <div class="panel-heading">
              <h5 class="panel-title"><b>Comment</b> ({{ p.comment_time|date:"Y-m-d" }}{% if not p.for_current_revision %} for -{{ p.get_dochistory.rev}}{% endif %})</h5>
            </div>
-            <div class="panel-body"><pre class="ballot pasted">{{ p.comment|escape|linkify }}</pre></div>
+            <div class="panel-body"><pre class="ballot pasted">{{ p.comment|linkify }}</pre></div>
          </div>
        {% endif %}
      {% endfor %}
--- a/ietf/templates/doc/document_review.html
+++ b/ietf/templates/doc/document_review.html
@ -55,6 +55,6 @@
  <h2>{{ doc.type.name }}<br><small>{{ doc.name }}</small></h2>

  {% if doc.rev and content != None %}
-    <pre class="pasted">{{ content|linkify|safe|sanitize }}</pre>
+    <pre class="pasted">{{ content|linkify }}</pre>
  {% endif %}
 {% endblock %}
--- a/ietf/templates/doc/drafts_in_iesg_process.html
+++ b/ietf/templates/doc/drafts_in_iesg_process.html
@ -47,7 +47,7 @@
 	      <a href="{% url "ietf.doc.views_doc.document_main" doc.name %}">{{ doc.name }}</a>
          <br><b>{{ doc.title }}</b>
 	      {% if doc.note %}
-	        <br><i>Note: {{ doc.note|linebreaksbr|linkify }}</i>
+	        <br><i>Note: {{ doc.note|linkify|linebreaksbr }}</i>
 	      {% endif %}
            </td>
          <td>{{ doc.intended_std_level.name }}</td>
--- a/ietf/templates/doc/shepherd_writeup.html
+++ b/ietf/templates/doc/shepherd_writeup.html
@ -12,7 +12,7 @@
  {% origin %}
  <h1>Shepherd writeup<br><small>{{ doc.canonical_name }}-{{ doc.rev }}</small></h1>

-  <pre class="pasted">{{writeup|escape|linkify}}</pre>
+  <pre class="pasted">{{writeup|linkify}}</pre>

  {% if can_edit %}
    <a class="btn btn-primary" href="{% url 'ietf.doc.views_draft.edit_shepherd_writeup' name=doc.name %}">Edit</a>
--- a/ietf/templates/group/all_status.html
+++ b/ietf/templates/group/all_status.html
@ -29,7 +29,7 @@
               <span class="label label-success">{{ rpt.group.state.slug|upper }}</span> 
            {% endif %}
           <br> {{rpt.time|date:"Y-m-d"}}</td>
-      <td><pre class="pasted">{{ rpt.desc|default:"(none)"|escape|linkify }}</pre></td>
+      <td><pre class="pasted">{{ rpt.desc|default:"(none)"|linkify }}</pre></td>
     </tr>
    {% endfor %}
 </table>
@ -44,7 +44,7 @@
              <span class="label label-success">{{ rpt.group.state.slug|upper }}</span> 
           {% endif %}
          <br> {{rpt.time|date:"Y-m-d"}}</td>
-    <td><pre class="pasted">{{ rpt.desc|default:"(none)"|escape|linkify }}</pre></td>
+    <td><pre class="pasted">{{ rpt.desc|default:"(none)"|linkify }}</pre></td>
  </tr>
 {% endfor %}
 </table>
--- a/ietf/templates/group/group_about_status.html
+++ b/ietf/templates/group/group_about_status.html
@ -16,7 +16,7 @@
    Status update for {{ group.type.name }} {{ group.acronym }}
  </h1>

-  <pre class="pasted">{{ status_update.desc|default:"(none)"|escape|linkify }}</pre>
+  <pre class="pasted">{{ status_update.desc|default:"(none)"|linkify }}</pre>

  {% if can_provide_status_update %}
    <a id="edit_button" class="btn btn-primary" href="{% url "ietf.group.views.group_about_status_edit" acronym=group.acronym %}">Edit</a>
--- a/ietf/templates/group/group_about_status_meeting.html
+++ b/ietf/templates/group/group_about_status_meeting.html
@ -16,7 +16,7 @@
    Status update for {{ group.type.name }} {{ group.acronym }} at {{meeting}}
  </h1>

-  <pre class="pasted">{{ status_update.desc|default:"(none)"|escape|linkify }}</pre>
+  <pre class="pasted">{{ status_update.desc|default:"(none)"|linkify }}</pre>

  <a class="btn btn-default pull-right" href="{% url "ietf.meeting.views.proceedings" num=meeting.number %}">Back</a>

--- a/ietf/utils/templatetags/textfilters.py
+++ b/ietf/utils/templatetags/textfilters.py
@ -4,6 +4,7 @@ import bleach

 from django import template
 from django.template.defaultfilters import stringfilter
+from django.utils.html import escape
 from django.utils.safestring import mark_safe

 import debug                            # pyflakes:ignore
@ -71,5 +72,5 @@ def texescape_filter(value):
@register.filter
@stringfilter
 def linkify(value):
-    text = mark_safe(bleach.linkify(value))
+    text = mark_safe(bleach.linkify(escape(value)))
    return text