[
https://issues.apache.org/jira/browse/AIRFLOW-4083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16792738#comment-16792738
]
ASF GitHub Bot commented on AIRFLOW-4083:
-----------------------------------------
XD-DENG commented on pull request #4912: [AIRFLOW-4083] Add tests for link
generation utils
URL: https://github.com/apache/airflow/pull/4912
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Unify and test escaping of generated links
> ------------------------------------------
>
> Key: AIRFLOW-4083
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4083
> Project: Apache Airflow
> Issue Type: Bug
> Reporter: Ash Berlin-Taylor
> Assignee: Ash Berlin-Taylor
> Priority: Major
> Fix For: 1.10.3
>
>
> We have a number of places where we generate HTML links in the app, and they
> are not well tested for XSS protection.
> Additionally we are using flask.Markup incorrectly - leading to also having
> to call {{bleach.clean}} on the format strings.
> Instead of
> {code:python}
> Markup('<a href="{}">'.format(url))
> {code}
> we should be doing
> {code:python}
> Markup('<a href="{}">').format(url)
> {code}
> (Markup has {{.format()}} and {{%}} support that will correctly escape all
> the interpolations for us!)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
