paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-06 15:03:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

semgrep: Detect some unsafe uses of markupsafe.Markup.

Browse Source 
Use the built-in HTML escaping of Markup("…{var}…").format(), in order
to allow Semgrep to detect mistakes like Markup("…{var}…".format())
and Markup(f"…{var}…").

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg
2023-03-20 23:10:20 -07:00
committed by Tim Abbott
parent f66d952c57
commit afa218fa2a
6 changed files with 36 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
zerver/lib/upload/base.py
View File

@@ -6,7 +6,6 @@ from datetime import datetime
from typing import IO, Any, Callable, Iterator, List, Optional, Tuple
from django.utils.translation import gettext as _
from markupsafe import Markup
from PIL import GifImagePlugin, Image, ImageOps, PngImagePlugin
from PIL.Image import DecompressionBombError
@@ -52,7 +51,7 @@ def sanitize_name(value: str) -> str:
value = re.sub(r"[^\w\s.-]", "", value).strip()
value = re.sub(r"[-\s]+", "-", value)
assert value not in {"", ".", ".."}
return Markup(value)
return value
class BadImageError(JsonableError):