Ash Berlin-Taylor created AIRFLOW-4083:
------------------------------------------
Summary: Unify and test escaping of generated links
Key: AIRFLOW-4083
URL: https://issues.apache.org/jira/browse/AIRFLOW-4083
Project: Apache Airflow
Issue Type: Bug
Reporter: Ash Berlin-Taylor
Fix For: 1.10.3
We have a number of places where we generate HTML links in the app, and they
are not well tested for XSS protection.
Additionally we are using flask.Markup incorrectly - leading to also having to
call {{bleach.clean}} on the format strings.
Instead of
{code:python}
Markup('<a href="{}">'.format(url))
{code}
we should be doing
{code:python}
Markup('<a href="{}">').format(url)
{code}
(Markup has {{.format()}} and {{%}} support that will correctly escape all the
interpolations for us!)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
