This is an automated email from the ASF dual-hosted git repository.
kaxilnaik pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/v1-10-test by this push:
new 371345d fixup! Don't use the `|safe` filter in code, it's risky
(#9180)
371345d is described below
commit 371345d2c7b4651bcc12841da1c003c7e2cc15c7
Author: Kaxil Naik <[email protected]>
AuthorDate: Fri Jun 12 02:26:11 2020 +0100
fixup! Don't use the `|safe` filter in code, it's risky (#9180)
(cherry picked from commit 5f0320e56bfeda5d03141b5ce1790742f796847f)
---
airflow/www/static/main.css | 4 +++
airflow/www/templates/airflow/chart.html | 2 +-
airflow/www/templates/airflow/code.html | 2 +-
airflow/www/templates/airflow/config.html | 2 +-
airflow/www/templates/airflow/dag.html | 6 ++--
airflow/www/templates/airflow/dag_code.html | 2 +-
airflow/www/templates/airflow/duration_chart.html | 4 +--
airflow/www/templates/airflow/gantt.html | 4 +--
airflow/www/templates/airflow/graph.html | 14 ++++-----
airflow/www/templates/airflow/task.html | 8 +----
airflow/www/templates/airflow/task_instance.html | 2 +-
airflow/www/templates/airflow/ti_code.html | 2 +-
airflow/www/views.py | 36 +++++++++++++----------
13 files changed, 45 insertions(+), 43 deletions(-)
diff --git a/airflow/www/static/main.css b/airflow/www/static/main.css
index 2740a0d..c5008b8 100644
--- a/airflow/www/static/main.css
+++ b/airflow/www/static/main.css
@@ -224,6 +224,10 @@ div.square {
box-shadow: inset 0 6px 6px rgba(0, 0, 0, 0.4);
}
+.dag-doc {
+ margin-bottom: 15px;
+}
+
.hll { background-color: #ffffcc }
.c { color: #408080; font-style: italic } /* Comment */
.err { border: 1px solid #FF0000 } /* Error */
diff --git a/airflow/www/templates/airflow/chart.html
b/airflow/www/templates/airflow/chart.html
index 1fc3779..128364c 100644
--- a/airflow/www/templates/airflow/chart.html
+++ b/airflow/www/templates/airflow/chart.html
@@ -46,7 +46,7 @@
<input name="_csrf_token" type="hidden" value="{{ csrf_token() }}">
</form>
</div>
-<div style="clear: both;">{{ chart |safe }}</div>
+<div style="clear: both;">{{ chart }}</div>
<hr/>
{% endblock %}
diff --git a/airflow/www/templates/airflow/code.html
b/airflow/www/templates/airflow/code.html
index 522c8f4..a91975f 100644
--- a/airflow/www/templates/airflow/code.html
+++ b/airflow/www/templates/airflow/code.html
@@ -40,6 +40,6 @@
{% endif %}
{% if code_html %}
- {{ code_html|safe }}
+ {{ code_html }}
{% endif %}
{% endblock %}
diff --git a/airflow/www/templates/airflow/config.html
b/airflow/www/templates/airflow/config.html
index 0aedb17..f7786be 100644
--- a/airflow/www/templates/airflow/config.html
+++ b/airflow/www/templates/airflow/config.html
@@ -36,7 +36,7 @@
{% endif %}
{% if code_html %}
- {{ code_html|safe }}
+ {{ code_html }}
{% endif %}
<hr>
diff --git a/airflow/www/templates/airflow/dag.html
b/airflow/www/templates/airflow/dag.html
index 89d3ce0..67e32a3 100644
--- a/airflow/www/templates/airflow/dag.html
+++ b/airflow/www/templates/airflow/dag.html
@@ -369,8 +369,8 @@ function updateQueryStringParameter(uri, key, value) {
});
subdag_id = sd;
execution_date = d;
- $('#task_id').html(t);
- $('#execution_date').html(d);
+ $('#task_id').text(t);
+ $('#execution_date').text(d);
$('#myModal').modal({});
$("#myModal").css("margin-top","0px")
if (subdag_id === undefined)
@@ -428,7 +428,7 @@ function updateQueryStringParameter(uri, key, value) {
function call_modal_dag(dag) {
id = dag && dag.id;
execution_date = dag && dag.execution_date;
- $('#dag_id').html(dag_id);
+ $('#dag_id').text(dag_id);
$('#dagModal').modal({});
$("#dagModal").css("margin-top","0px");
}
diff --git a/airflow/www/templates/airflow/dag_code.html
b/airflow/www/templates/airflow/dag_code.html
index 05a5553..2649f72 100644
--- a/airflow/www/templates/airflow/dag_code.html
+++ b/airflow/www/templates/airflow/dag_code.html
@@ -26,7 +26,7 @@
<div class="active">
<a onclick="toggleWrap()">Toggle wrap</a>
</div>
- {{ html_code|safe }}
+ {{ html_code }}
{% endblock %}
{% block tail %}
diff --git a/airflow/www/templates/airflow/duration_chart.html
b/airflow/www/templates/airflow/duration_chart.html
index 392dc17..ff5d8ab 100644
--- a/airflow/www/templates/airflow/duration_chart.html
+++ b/airflow/www/templates/airflow/duration_chart.html
@@ -50,8 +50,8 @@
<input name="_csrf_token" type="hidden" value="{{ csrf_token() }}">
</form>
</div>
-<div id="dur_chart" style="clear: both;">{{ chart |safe }}</div>
-<div id="cum_dur_chart" style="clear: both;">{{ cum_chart | safe}}</div>
+<div id="dur_chart" style="clear: both;">{{ chart }}</div>
+<div id="cum_dur_chart" style="clear: both;">{{ cum_chart }}</div>
<hr/>
{% endblock %}
diff --git a/airflow/www/templates/airflow/gantt.html
b/airflow/www/templates/airflow/gantt.html
index a76b3851..f2bea89 100644
--- a/airflow/www/templates/airflow/gantt.html
+++ b/airflow/www/templates/airflow/gantt.html
@@ -33,7 +33,7 @@
Base date: {{ form.base_date(class_="form-control") }}
Number of runs: {{ form.num_runs(class_="form-control") }}
Run:<input type="hidden" value="{{ dag.dag_id }}" name="dag_id">
- {{ form.execution_date(class_="form-control") | safe }}
+ {{ form.execution_date(class_="form-control") }}
<input type="submit" value="Go" class="btn btn-default" action=""
method="get">
<input type="hidden" name="root" value="{{ root if root else '' }}">
<input name="_csrf_token" type="hidden" value="{{ csrf_token() }}">
@@ -57,7 +57,7 @@
var dag_id = '{{ dag.dag_id }}';
var task_id = '';
var execution_date = '';
- data = {{ data |tojson|safe }};
+ data = {{ data |tojson }};
var gantt = d3.gantt()
.taskTypes(data.taskNames)
.taskStatus(data.taskStatus)
diff --git a/airflow/www/templates/airflow/graph.html
b/airflow/www/templates/airflow/graph.html
index 0535bf8..dcbe4f9 100644
--- a/airflow/www/templates/airflow/graph.html
+++ b/airflow/www/templates/airflow/graph.html
@@ -32,7 +32,7 @@
{% block body %}
{{ super() }}
{% if doc_md %}
-<div class="rich_doc" style="margin-bottom: 15px;">{{ doc_md|safe }}</div>
+{{ doc_md }}
{% endif %}
<div class="form-inline">
<form method="get" style="float:left;">
@@ -40,9 +40,9 @@
Base date: {{ form.base_date(class_="form-control") }}
Number of runs: {{ form.num_runs(class_="form-control") }}
Run:
- {{ form.execution_date(class_="form-control") | safe }}
+ {{ form.execution_date(class_="form-control") }}
Layout:
- {{ form.arrange(class_="form-control") | safe }}
+ {{ form.arrange(class_="form-control") }}
<input type="hidden" name="root" value="{{ root }}">
<input type="hidden" value="{{ dag.dag_id }}" name="dag_id">
<input name="_csrf_token" type="hidden" value="{{ csrf_token() }}">
@@ -107,10 +107,10 @@
var upstream_color = "#2020A0";
var downstream_color = "#0000FF";
- var nodes = {{ nodes|tojson|safe }};
- var edges = {{ edges|tojson|safe }};
- var tasks = {{ tasks|tojson|safe }};
- var task_instances = {{ task_instances|tojson|safe }};
+ var nodes = {{ nodes|tojson }};
+ var edges = {{ edges|tojson }};
+ var tasks = {{ tasks|tojson }};
+ var task_instances = {{ task_instances|tojson }};
var execution_date = "{{ execution_date }}";
var arrange = "{{ arrange }}";
var g = dagreD3.json.decode(nodes, edges);
diff --git a/airflow/www/templates/airflow/task.html
b/airflow/www/templates/airflow/task.html
index 2fe0b0e..fb53ca7 100644
--- a/airflow/www/templates/airflow/task.html
+++ b/airflow/www/templates/airflow/task.html
@@ -39,14 +39,11 @@
</tr>
{% endfor %}
</table>
- {% if html_code is defined %}
- {{ html_code|safe }}
- {% endif %}
</div>
<div>
{% for attr, value in special_attrs_rendered.items() %}
<h5>Attribute: {{ attr }}</h5>
- {{ value|safe }}
+ {{ value }}
{% endfor %}
<h5>Task Instance Attributes</h5>
<table class="table table-striped table-bordered">
@@ -74,8 +71,5 @@
</tr>
{% endfor %}
</table>
- {% if html_code is defined %}
- {{ html_code|safe }}
- {% endif %}
</div>
{% endblock %}
diff --git a/airflow/www/templates/airflow/task_instance.html
b/airflow/www/templates/airflow/task_instance.html
index 2380a4b..e1e4819 100644
--- a/airflow/www/templates/airflow/task_instance.html
+++ b/airflow/www/templates/airflow/task_instance.html
@@ -35,7 +35,7 @@
{{ task_id }}
<input type="hidden" value="{{ dag.dag_id }}" name="dag_id">
</span>
- {{ form.execution_date(class_="form-control") | safe }}
+ {{ form.execution_date(class_="form-control") }}
</div>
</form>
diff --git a/airflow/www/templates/airflow/ti_code.html
b/airflow/www/templates/airflow/ti_code.html
index 7531a01..5ca5f59 100644
--- a/airflow/www/templates/airflow/ti_code.html
+++ b/airflow/www/templates/airflow/ti_code.html
@@ -25,6 +25,6 @@
<h4>{{ title }}</h4>
{% for k, v in html_dict.items() %}
<h5>{{ k }}</h5>
- {{ v|safe }}
+ {{ v }}
{% endfor %}
{% endblock %}
diff --git a/airflow/www/views.py b/airflow/www/views.py
index a069f17..93ec55e 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -236,20 +236,25 @@ def pygment_html_render(s, lexer=lexers.TextLexer):
def render(obj, lexer):
out = ""
if isinstance(obj, basestring):
- out += pygment_html_render(obj, lexer)
+ out += Markup(pygment_html_render(obj, lexer))
elif isinstance(obj, (tuple, list)):
for i, s in enumerate(obj):
- out += "<div>List item #{}</div>".format(i)
- out += "<div>" + pygment_html_render(s, lexer) + "</div>"
+ out += Markup("<div>List item #{}</div>".format(i))
+ out += Markup("<div>" + pygment_html_render(s, lexer) + "</div>")
elif isinstance(obj, dict):
for k, v in obj.items():
- out += '<div>Dict item "{}"</div>'.format(k)
- out += "<div>" + pygment_html_render(v, lexer) + "</div>"
+ out += Markup('<div>Dict item "{}"</div>'.format(k))
+ out += Markup("<div>" + pygment_html_render(v, lexer) + "</div>")
return out
-def wrapped_markdown(s):
- return '<div class="rich_doc">' + markdown.markdown(s) + "</div>"
+def wrapped_markdown(s, css_class=None):
+ if s is None:
+ return None
+
+ return Markup(
+ '<div class="rich_doc {css_class}" >' + markdown.markdown(s) + "</div>"
+ ).format(css_class=css_class)
attr_renderer = {
@@ -694,15 +699,15 @@ class Airflow(AirflowViewMixin, BaseView):
dag_id = request.args.get('dag_id')
dag_orm = models.DagModel.get_dagmodel(dag_id, session=session)
code = DagCode.get_code_by_fileloc(dag_orm.fileloc)
- html_code = highlight(
- code, lexers.PythonLexer(), HtmlFormatter(linenos=True))
+ html_code = Markup(highlight(
+ code, lexers.PythonLexer(), HtmlFormatter(linenos=True)))
except Exception as e:
all_errors += (
"Exception encountered during " +
"dag_id retrieval/dag retrieval fallback/code
highlighting:\n\n{}\n".format(e)
)
- html_code = '<p>Failed to load file.</p><p>Details: {}</p>'.format(
+ html_code = Markup('<p>Failed to load file.</p><p>Details:
{}</p>').format(
escape(all_errors))
return self.render(
@@ -819,8 +824,7 @@ class Airflow(AirflowViewMixin, BaseView):
if template_field in attr_renderer:
html_dict[template_field] =
attr_renderer[template_field](content)
else:
- html_dict[template_field] = (
- "<pre><code>" + str(content) + "</pre></code>")
+ html_dict[template_field] =
Markup("<pre><code>{}</pre></code>").format(str(content))
return self.render(
'airflow/ti_code.html',
@@ -1741,7 +1745,7 @@ class Airflow(AirflowViewMixin, BaseView):
if not tasks:
flash("No tasks found", "error")
session.commit()
- doc_md = markdown.markdown(dag.doc_md) if hasattr(dag, 'doc_md') and
dag.doc_md else ''
+ doc_md = wrapped_markdown(getattr(dag, 'doc_md', None),
css_class='dag-doc')
external_logs = conf.get('elasticsearch', 'frontend')
return self.render(
@@ -1873,8 +1877,8 @@ class Airflow(AirflowViewMixin, BaseView):
demo_mode=conf.getboolean('webserver', 'demo_mode'),
root=root,
form=form,
- chart=chart.htmlcontent,
- cum_chart=cum_chart.htmlcontent
+ chart=Markup(chart.htmlcontent),
+ cum_chart=Markup(cum_chart.htmlcontent)
)
@expose('/tries')
@@ -1940,7 +1944,7 @@ class Airflow(AirflowViewMixin, BaseView):
demo_mode=conf.getboolean('webserver', 'demo_mode'),
root=root,
form=form,
- chart=chart.htmlcontent
+ chart=Markup(chart.htmlcontent)
)
@expose('/landing_times')
