From: Daniel Axtens <dja@axtens.net>
Date: Fri, 5 Jul 2019 01:30:28 +0000 (+1000)
Subject: templatetags: Do not mark output of msgid tag as safe
X-Git-Tag: v2.1.4~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c400741bae2477d8329a24b3498d059c28ced0d6;p=thirdparty%2Fpatchwork.git

templatetags: Do not mark output of msgid tag as safe

The msgid template tag exists to remove angle brackets from either side of
the Message-ID header.

It also marks its output as safe, meaning it does not get autoescaped by
Django templating.

Its output is not safe. A maliciously crafted email can include HTML tags
inside the Message-ID header, and as long as the angle brackets are not at
the start and end of the header, we will quite happily render them.

Rather than using mark_safe(), use escape() to explicitly escape the
Message-ID.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
(backported from 133a6c90e9826376be0f12f2ae6c2d7b076bdba0)
Signed-off-by: Daniel Axtens <dja@axtens.net>
---

diff --git a/patchwork/templatetags/patch.py b/patchwork/templatetags/patch.py
index 4350e092..577c7837 100644
--- a/patchwork/templatetags/patch.py
+++ b/patchwork/templatetags/patch.py
@@ -21,6 +21,7 @@
 from __future__ import absolute_import
 
 from django import template
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from django.template.defaultfilters import stringfilter
 
@@ -65,4 +66,4 @@ def state_class(state):
 @register.filter
 @stringfilter
 def msgid(value):
-    return mark_safe(value.strip('<>'))
+    return escape(value.strip('<>'))