Merge pull request #1742 from dandi/xss-fix

Fix S308 Use of `mark_safe` may expose cross-site scripting vulnerabilities
dandi · Nov 9, 2023 · 02b5b73 · 02b5b73
2 parents cf99632 + ecc7548
commit 02b5b73
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/dandiapi/api/admin.py b/dandiapi/api/admin.py
@@ -11,7 +11,7 @@
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
 from django.urls import reverse
-from django.utils.safestring import mark_safe
+from django.utils.html import format_html
 from guardian.admin import GuardedModelAdmin
 
 from dandiapi.api.models import (
@@ -69,8 +69,10 @@ def export_emails_to_plaintext(self, request, queryset):
 
     @admin.display(ordering='metadata__status')
     def status(self, obj):
-        return mark_safe(
-            f'<a href="{reverse("user-approval", args=[obj.username])}">{obj.metadata.status}</a>'
+        return format_html(
+            '<a href="{}">{}</a>',
+            reverse('user-approval', args=[obj.username]),
+            obj.metadata.status,
         )
 
     @admin.display()
@@ -79,7 +81,7 @@ def github_username(self, obj):
         if social_account is None:
             return '(none)'
         gh_username: str = social_account_to_dict(social_account)['username']
-        return mark_safe(f'<a href="https://github.com/{gh_username}">{gh_username}</a>')
+        return format_html('<a href="https://github.com/{}">{}</a>', gh_username, gh_username)
 
 
 admin.site.unregister(User)