[
https://issues.apache.org/jira/browse/AIRFLOW-4083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16792006#comment-16792006
]
ASF GitHub Bot commented on AIRFLOW-4083:
-----------------------------------------
ashb commented on pull request #4912: [AIRFLOW-4083] Add tests for link
generation utils
URL: https://github.com/apache/airflow/pull/4912
Make sure you have checked _all_ steps below.
### Jira
https://issues.apache.org/jira/browse/AIRFLOW-4083
### Description
We were making use of the "bleach" module or jinja.escape function to
clean parameters when it wasn't needed - we could simply call .format on
the Markup object and it will handle escaping for us. (format the
object, not format the string passed to the constructor)
This removes the (direct?) dependency on bleach - one less thing to
depend on is a good thing too.
### Tests
- [x] Tests added to tests/www/test_utils.
### Commits
- [x] My commits all reference Jira issues in their subject lines, and I
have squashed multiple commits if they address the same issue. In addition, my
commits follow the guidelines from "[How to write a good git commit
message](http://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Documentation
- [x] In case of new functionality, my PR adds documentation that describes
how to use it.
- When adding new operators/hooks/sensors, the autoclass documentation
generation needs to be added.
- All the public functions and the classes in the PR contain docstrings
that explain what it does
- If you implement backwards incompatible changes, please leave a note in
the [Updating.md](https://github.com/apache/airflow/blob/master/UPDATING.md) so
we can assign it to a appropriate release
### Code Quality
- [x] Passes `flake8`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Unify and test escaping of generated links
> ------------------------------------------
>
> Key: AIRFLOW-4083
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4083
> Project: Apache Airflow
> Issue Type: Bug
> Reporter: Ash Berlin-Taylor
> Priority: Major
> Fix For: 1.10.3
>
>
> We have a number of places where we generate HTML links in the app, and they
> are not well tested for XSS protection.
> Additionally we are using flask.Markup incorrectly - leading to also having
> to call {{bleach.clean}} on the format strings.
> Instead of
> {code:python}
> Markup('<a href="{}">'.format(url))
> {code}
> we should be doing
> {code:python}
> Markup('<a href="{}">').format(url)
> {code}
> (Markup has {{.format()}} and {{%}} support that will correctly escape all
> the interpolations for us!)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
