[
https://issues.apache.org/jira/browse/AIRFLOW-4083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16792739#comment-16792739
]
ASF subversion and git services commented on AIRFLOW-4083:
----------------------------------------------------------
Commit 25f5a5b14a2e6780474e06b94b9f252c173bfd94 in airflow's branch
refs/heads/master from Ash Berlin-Taylor
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=25f5a5b ]
[AIRFLOW-4083] Add tests for link generation utils (#4912)
We were making use of the "bleach" module or jinja.escape function to
clean parameters when it wasn't needed - we could simply call .format on
the Markup object and it will handle escaping for us. (format the
object, not format the string passed to the constructor)
This removes the (direct?) dependency on bleach - one less thing to
depend on is a good thing too.
> Unify and test escaping of generated links
> ------------------------------------------
>
> Key: AIRFLOW-4083
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4083
> Project: Apache Airflow
> Issue Type: Bug
> Reporter: Ash Berlin-Taylor
> Assignee: Ash Berlin-Taylor
> Priority: Major
> Fix For: 1.10.3
>
>
> We have a number of places where we generate HTML links in the app, and they
> are not well tested for XSS protection.
> Additionally we are using flask.Markup incorrectly - leading to also having
> to call {{bleach.clean}} on the format strings.
> Instead of
> {code:python}
> Markup('<a href="{}">'.format(url))
> {code}
> we should be doing
> {code:python}
> Markup('<a href="{}">').format(url)
> {code}
> (Markup has {{.format()}} and {{%}} support that will correctly escape all
> the interpolations for us!)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
