[
https://issues.apache.org/jira/browse/AIRFLOW-4083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiaodong DENG resolved AIRFLOW-4083.
------------------------------------
Resolution: Resolved
> Unify and test escaping of generated links
> ------------------------------------------
>
> Key: AIRFLOW-4083
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4083
> Project: Apache Airflow
> Issue Type: Bug
> Reporter: Ash Berlin-Taylor
> Assignee: Ash Berlin-Taylor
> Priority: Major
> Fix For: 1.10.3
>
>
> We have a number of places where we generate HTML links in the app, and they
> are not well tested for XSS protection.
> Additionally we are using flask.Markup incorrectly - leading to also having
> to call {{bleach.clean}} on the format strings.
> Instead of
> {code:python}
> Markup('<a href="{}">'.format(url))
> {code}
> we should be doing
> {code:python}
> Markup('<a href="{}">').format(url)
> {code}
> (Markup has {{.format()}} and {{%}} support that will correctly escape all
> the interpolations for us!)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
