CVE-2025-52559: Generate HTML for digest recipient header safely.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2025-11-02 13:03:29 +00:00 · 2025-06-23 17:11:34 -07:00
parent 5606489d96
commit 6608c87772
1 changed files with 15 additions and 3 deletions
--- a/zerver/lib/email_notifications.py
+++ b/zerver/lib/email_notifications.py
@@ -20,6 +20,7 @@ from django.utils.timezone import now as timezone_now
 from django.utils.translation import gettext as _
 from django.utils.translation import override as override_language
 from lxml.html import builder as e
+from markupsafe import Markup

 from confirmation.models import one_click_unsubscribe_link
 from zerver.lib.display_recipient import get_display_recipient
@@ -268,7 +269,9 @@ def build_message_list(
                sender=message.sender,
            )
            header = f"You and {message.sender.full_name}"
-            header_html = f"<a style='color: #ffffff;' href='{narrow_link}'>{header}</a>"
+            header_html = Markup(
+                "<a style='color: #ffffff;' href='{narrow_link}'>{header}</a>"
+            ).format(narrow_link=narrow_link, header=header)
        elif message.recipient.type == Recipient.DIRECT_MESSAGE_GROUP:
            grouping = {"huddle": message.recipient_id}
            display_recipient = get_display_recipient(message.recipient)
@@ -278,7 +281,9 @@ def build_message_list(
            )
            other_recipients = [r["full_name"] for r in display_recipient if r["id"] != user.id]
            header = "You and {}".format(", ".join(other_recipients))
-            header_html = f"<a style='color: #ffffff;' href='{narrow_link}'>{header}</a>"
+            header_html = Markup(
+                "<a style='color: #ffffff;' href='{narrow_link}'>{header}</a>"
+            ).format(narrow_link=narrow_link, header=header)
        else:
            assert message.recipient.type == Recipient.STREAM
            grouping = {"stream": message.recipient_id, "topic": message.topic_name().lower()}
@@ -296,7 +301,14 @@ def build_message_list(
            )
            header = f"{stream.name} > {message.topic_name()}"
            stream_link = stream_narrow_url(user.realm, stream)
-            header_html = f"<a href='{stream_link}'>{stream.name}</a> > <a href='{narrow_link}'>{message.topic_name()}</a>"
+            header_html = Markup(
+                "<a href='{stream_link}'>{stream_name}</a> &gt; <a href='{narrow_link}'>{topic_name}</a>"
+            ).format(
+                stream_link=stream_link,
+                stream_name=stream.name,
+                narrow_link=narrow_link,
+                topic_name=message.topic_name(),
+            )
        return {
            "grouping": grouping,
            "plain": header,