From 7bab9e1234f36a4201b024c85220fd351bc32228 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toni=20Sch=C3=B6nbuchner?= Date: Tue, 29 Oct 2019 11:27:34 +0100 Subject: [PATCH 1/5] [Fixes #5137] Striptags for service resources --- geonode/services/templates/services/service_detail.html | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/geonode/services/templates/services/service_detail.html b/geonode/services/templates/services/service_detail.html index b2bf0d48e2b..4c60bbeefac 100644 --- a/geonode/services/templates/services/service_detail.html +++ b/geonode/services/templates/services/service_detail.html @@ -41,15 +41,15 @@

{% trans "Service Resources" %} {{ total_resources }} - {{service.title}} - {{service.abstract}} + {{service.title|striptags}} + {{service.abstract|striptags}} {% endfor %} {% for layer in layers %} {% if layer.group != "background" %} - {{layer.title}} - {{layer.abstract}} + {{layer.title|striptags}} + {{layer.abstract|striptags}} {% endif %} {% endfor %} From fdd2c85fe7723795069f27fca3e5bd9890433c90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toni=20Sch=C3=B6nbuchner?= Date: Tue, 29 Oct 2019 11:28:48 +0100 Subject: [PATCH 2/5] [Fixes #5138] Escape Hierarchical-tags --- geonode/base/models.py | 3 +++ geonode/layers/tests.py | 20 +++++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/geonode/base/models.py b/geonode/base/models.py index 88181530054..04bbf611c0c 100644 --- a/geonode/base/models.py +++ b/geonode/base/models.py @@ -41,6 +41,7 @@ from django.core.files.base import ContentFile from django.contrib.gis.geos import GEOSGeometry from django.utils.timezone import now +from django.utils.html import escape from mptt.models import MPTTModel, TreeForeignKey @@ -383,6 +384,8 @@ def add(self, *tags): tag_objs.update(existing) for new_tag in str_tags - set(t.name for t in existing): if new_tag: + new_tag = escape(new_tag) + new_tag = "".join(new_tag.split()) tag_objs.add(HierarchicalKeyword.add_root(name=new_tag)) for tag in tag_objs: diff --git a/geonode/layers/tests.py b/geonode/layers/tests.py index a68f5275539..0ee266824e3 100644 --- a/geonode/layers/tests.py +++ b/geonode/layers/tests.py @@ -258,6 +258,18 @@ def test_layer_save(self): u'here', u'keywords', u'populartag', u'saving', u'ß', u'ä', u'ö', u'ü', u'論語']) + # Test input escape + lyr.keywords.add(*["Europe", + "land_covering", + "Science"]) + + self.assertEqual( + lyr.keyword_list(), [ + u'<IMGSRC='javascript:true;'>Science', u'Europe<script>true;</script>', + u'here', u'keywords', u'land_<script>true;</script>covering', u'populartag', u'saving', + u'ß', u'ä', u'ö', u'ü', u'論語']) + + self.client.login(username='admin', password='admin') response = self.client.get(reverse('layer_detail', args=(lyr.alternate,))) self.failUnlessEqual(response.status_code, 200) @@ -277,7 +289,13 @@ def test_layer_save(self): {"text": u"ä", "href": "a", "id": 10}, {"text": u"ö", "href": "o", "id": 7}, {"text": u"ü", "href": "u", "id": 8}, - {"text": u"論語", "href": "lun-yu", "id": 6} + {"text": u"論語", "href": "lun-yu", "id": 6}, + {"text": u"Europe<script>true;</script>", + "href": "u'europeltscriptgttrueltscriptgt", "id": 12}, + {"text": u"land_<script>true;</script>covering", + "href": "u'land_ltscriptgttrueltscriptgtcovering", "id": 13}, + {"text": u"<IMGSRC='javascript:true;'>Science", + "href": "u'ltimgsrc39javascripttrue39gtscience", "id": 11}, ])) def test_layer_links(self): From 95d4993bc5dab28d21e9eb712be29888cefe9ce5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toni=20Sch=C3=B6nbuchner?= Date: Tue, 29 Oct 2019 12:28:44 +0100 Subject: [PATCH 3/5] [Fixes #5138] Fix Flake8 --- geonode/layers/tests.py | 1 - 1 file changed, 1 deletion(-) diff --git a/geonode/layers/tests.py b/geonode/layers/tests.py index 0ee266824e3..53e040c1dc7 100644 --- a/geonode/layers/tests.py +++ b/geonode/layers/tests.py @@ -269,7 +269,6 @@ def test_layer_save(self): u'here', u'keywords', u'land_<script>true;</script>covering', u'populartag', u'saving', u'ß', u'ä', u'ö', u'ü', u'論語']) - self.client.login(username='admin', password='admin') response = self.client.get(reverse('layer_detail', args=(lyr.alternate,))) self.failUnlessEqual(response.status_code, 200) From 04dc9b7044629e6ff5897d9adc7b7cd2c2957b8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toni=20Sch=C3=B6nbuchner?= Date: Tue, 29 Oct 2019 13:00:27 +0100 Subject: [PATCH 4/5] [Fixes #5138] Fix blank space --- geonode/base/models.py | 1 - 1 file changed, 1 deletion(-) diff --git a/geonode/base/models.py b/geonode/base/models.py index 04bbf611c0c..96fbbb5bc7d 100644 --- a/geonode/base/models.py +++ b/geonode/base/models.py @@ -385,7 +385,6 @@ def add(self, *tags): for new_tag in str_tags - set(t.name for t in existing): if new_tag: new_tag = escape(new_tag) - new_tag = "".join(new_tag.split()) tag_objs.add(HierarchicalKeyword.add_root(name=new_tag)) for tag in tag_objs: From 010aa1f5d781233237cc75df31a8bfae2f21499a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toni=20Sch=C3=B6nbuchner?= Date: Tue, 29 Oct 2019 13:54:37 +0100 Subject: [PATCH 5/5] [Fixes #5138] Fix assertation error --- geonode/layers/tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/geonode/layers/tests.py b/geonode/layers/tests.py index 53e040c1dc7..f3535018038 100644 --- a/geonode/layers/tests.py +++ b/geonode/layers/tests.py @@ -265,7 +265,7 @@ def test_layer_save(self): self.assertEqual( lyr.keyword_list(), [ - u'<IMGSRC='javascript:true;'>Science', u'Europe<script>true;</script>', + u'<IMG SRC='javascript:true;'>Science', u'Europe<script>true;</script>', u'here', u'keywords', u'land_<script>true;</script>covering', u'populartag', u'saving', u'ß', u'ä', u'ö', u'ü', u'論語'])