Prevent XSS injection with default template.

richardbarran · Aug 29, 2022 · 960cb06 · 960cb06
1 parent ed468ea
commit 960cb06
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 1 deletion.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -5,6 +5,7 @@ Changelog
 -----------------
 
 - Split out zip upload functionality into a separate function (#222) (contributed by lausek).
+- Do not allow JS injection into the Photo caption field (#223) (bug detected by Domiee13).
 
 
 3.15.1 (2022-02-23)

diff --git a/docs/pages/usage.rst b/docs/pages/usage.rst
@@ -43,3 +43,14 @@ These can be used in a custom template to display a thumbnail, e.g.::
 This will display an image, sized to the dimensions specified in the Photosize ``display``,
 and provide a clickable link to the raw image. Please refer to the example templates for ideas on how to use
 ``Photo`` and ``Gallery`` instances!
+
+Data integrity
+--------------
+Photologue will store 'as-is' any data stored for galleries and photos.
+You may want to enforce some data integrity rules - e.g. to sanitise
+any javascript injected into a ``Photo`` ``caption`` field. An easy way to do this
+would be to add extra processing on a ``post-save`` signal.
+
+Photologue does not sanitise data itself as you may legitimately want to store html and
+javascript in a caption field e.g. if you use a rich-text editor.
+
diff --git a/photologue/templates/photologue/photo_detail.html b/photologue/templates/photologue/photo_detail.html
@@ -14,7 +14,7 @@ <h1>{{ object.title }}</h1>
 
 <div class="row">
     <div class="col-md-6">
-        {% if object.caption %}<p>{{ object.caption|safe }}</p>{% endif %}
+        {% if object.caption %}<p>{{ object.caption }}</p>{% endif %}
         <a href="{{ object.image.url }}">
             <img src="{{ object.get_display_url }}" class="img-thumbnail" alt="{{ object.title }}">
         </a>

diff --git a/photologue/tests/test_views_photo.py b/photologue/tests/test_views_photo.py
@@ -54,3 +54,13 @@ def test_archive_day_photo_works(self):
     def test_detail_photo_works(self):
         response = self.client.get('/ptests/photo/2011/12/23/fake-photo/')
         self.assertEqual(response.status_code, 200)
+    def test_detail_photo_xss(self):
+        """Check that the default templates handle XSS."""
+        self.photo.title = '<img src=x onerror=alert("title")>'
+        self.photo.caption = '<img src=x onerror=alert(origin)>'
+        self.photo.save()
+        response = self.client.get('/ptests/photo/2011/12/23/fake-photo/')
+        self.assertContains(response, 'Photologue Demo - &lt;img src=x onerror=alert(&quot;title&quot;)&gt;')
+        self.assertNotContains(response, '<img src=x onerror=alert("title")>')
+        self.assertContains(response, '&lt;img src=x onerror=alert(origin)&gt;')
+        self.assertNotContains(response, '<img src=x onerror=alert(origin)>')
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,7 @@ Changelog @@
     -----------------
     - Split out zip upload functionality into a separate function (#222) (contributed by lausek).
+    - Do not allow JS injection into the Photo caption field (#223) (bug detected by Domiee13).
 .15.1 (2022-02-23)
@@ Expand Down @@