Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: turn off automatic escaping in session request templates #8007

Merged
merged 4 commits into from
Oct 9, 2024

Conversation

microamp
Copy link
Collaborator

@microamp microamp commented Oct 4, 2024

fixes #7993

Copy link

codecov bot commented Oct 4, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.84%. Comparing base (c7f6bde) to head (826accc).
Report is 91 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8007      +/-   ##
==========================================
+ Coverage   88.78%   88.84%   +0.06%     
==========================================
  Files         296      304       +8     
  Lines       41320    41541     +221     
==========================================
+ Hits        36687    36909     +222     
+ Misses       4633     4632       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@microamp microamp marked this pull request as ready for review October 7, 2024 02:40
Copy link
Member

@jennifer-richards jennifer-richards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a little concerned because this ends up outputting the user-provided person.name in an unescaped context. Since this is destined for plaintext email I think it's ok, but we should be careful.

@rjsparks
Copy link
Member

rjsparks commented Oct 9, 2024

If recipients honor the text/plain mime-type these are sent with, I don't think we have any concern (and we do use autoescape=off for most other templates that generate text for email.

But I think we should, separately, turn up the level of sanitization of user input for names - they can be blobs, but the blobs don't need to contain html, for example. I've been toying with comparing the various names stored in the datatracker (and names we derive from them) with bleach.clean(name,[],strip=True) and haven't found a case where we wouldn't want to have rejected the name if those came up different.

@rjsparks rjsparks merged commit f7e0a67 into ietf-tools:main Oct 9, 2024
9 checks passed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

HTML vs UTF-8 in messages from scheduling tool
3 participants