From 04fb0552a6e62d46af9ccd757a8bc1a6f7f745d6 Mon Sep 17 00:00:00 2001 From: aryanshridhar Date: Thu, 18 Mar 2021 23:32:20 +0530 Subject: [PATCH] analytics: escape HTML correctly when generating links. Wrapped the html text within html.escape function to convert special characters into HTML-safe string while generating link. --- analytics/views.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/analytics/views.py b/analytics/views.py index 7abf458c6a..342a7a33a4 100644 --- a/analytics/views.py +++ b/analytics/views.py @@ -6,6 +6,7 @@ import urllib from collections import defaultdict from datetime import datetime, timedelta, timezone from decimal import Decimal +from html import escape from typing import Any, Callable, Dict, List, Optional, Sequence, Set, Tuple, Type, Union from urllib.parse import urlencode @@ -1559,25 +1560,25 @@ def format_date_for_activity_reports(date: Optional[datetime]) -> str: def user_activity_link(email: str) -> mark_safe: url = reverse(get_user_activity, kwargs=dict(email=email)) - email_link = f'{email}' + email_link = f'{escape(email)}' return mark_safe(email_link) def realm_activity_link(realm_str: str) -> mark_safe: url = reverse(get_realm_activity, kwargs=dict(realm_str=realm_str)) - realm_link = f'{realm_str}' + realm_link = f'{escape(realm_str)}' return mark_safe(realm_link) def realm_stats_link(realm_str: str) -> mark_safe: url = reverse(stats_for_realm, kwargs=dict(realm_str=realm_str)) - stats_link = f'{realm_str}' + stats_link = f'{escape(realm_str)}' return mark_safe(stats_link) def remote_installation_stats_link(server_id: int, hostname: str) -> mark_safe: url = reverse(stats_for_remote_installation, kwargs=dict(remote_server_id=server_id)) - stats_link = f'{hostname}' + stats_link = f'{escape(hostname)}' return mark_safe(stats_link)