8000 fix: Fallback page names were not escaped by fsbraun · Pull Request #8113 · django-cms/django-cms · GitHub
[go: up one dir, main page]
Skip to content

fix: Fallback page names were not escaped #8113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 22, 2025
Merged

fix: Fallback page names were not escaped #8113

merged 1 commit into from
Jan 22, 2025

Conversation

fsbraun
Copy link
Member
@fsbraun fsbraun commented Jan 16, 2025
edited by sourcery-ai bot
Loading

Description

In the page tree, fallback page names were not escaped .

Related resources

  • #...
  • #...

Checklist

  • I have opened this pull request against develop-4
  • I have added or modified the tests when changing logic
  • I have followed the conventional commits guidelines to add meaningful information into the changelog
  • I have read the contribution guidelines and I have joined the channel #pr-reviews on our Discord Server to find a “pr review buddy” who is going to review my pull request.

Summary by Sourcery

Bug Fixes:

  • Escape fallback page names to prevent XSS vulnerabilities.

@sourcery-ai Sourcery AI
Copy link
Contributor
sourcery-ai bot commented Jan 16, 2025
edited
Loading

Reviewer's Guide by Sourcery

This pull request fixes a bug where fallback page names were not escaped in the page tree. The change involves escaping the title of fallback pages using the escape function before displaying them. This prevents potential XSS vulnerabilities.

Flow diagram for page name processing

graph TD
    A[Get page name] --> B{Is title available?}
    B -->|Yes| C{Same language?}
    B -->|No| D[Use slug]
    D --> E{Slug exists?}
    E -->|Yes| C
    E -->|No| F[Use 'Empty']
    F --> C
    C -->|Yes| G[Return title as-is]
    C -->|No| H[Escape title]
    H --> I[Format with language]
    I --> J[Return formatted title]
Loading

File-Level Changes

Change Details Files
Escape fallback page names
  • Added a call to the escape function to escape the title of fallback pages before displaying them in the page tree.
  • Ensured that fallback page titles are properly escaped to prevent XSS vulnerabilities when rendering the page tree in the admin interface.
  • Updated the get_page_display_name template tag to escape fallback page names when the language of the fallback page content does not match the current language.
 cms/templatetags/cms_admin.py
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time. You can also use
    this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Jan 16, 2025
View reviewed changes
Copy link
Contributor
@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @fsbraun - I've reviewed your changes - here's some feedback:

Overall Comments:

  • Please add tests to verify the escaping behavior to prevent future regressions of this security fix.
  • The PR checklist items are not checked - please ensure you're targeting the correct branch (develop-4) and following the conventional commits guidelines.
Here's what I looked at during the review
  • 🟢 General issues: all looks good
  • 🟢 Security: all looks good
  • 🟢 Testing: all looks good
  • 🟢 Complexity: all looks good
  • 🟢 Documentation: all looks good
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 8000 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@fsbraun fsbraun requested a review from a team January 16, 2025 17:38
@fsbraun fsbraun merged commit 4632949 into django-cms:develop-4 Jan 22, 2025
54 checks passed
@fsbraun fsbraun deleted the fix/unescaped-page-name branch January 22, 2025 08:11
fsbraun added a commit to fsbraun/django-cms that referenced this pull request Jan 22, 2025
@fsbraun
fix: Fallback page names were not escaped (django-cms#8113)
293e207
@fsbraun fsbraun mentioned this pull request Jan 22, 2025
Merged
4 tasks
fsbraun added a commit that referenced this pull request Jan 22, 2025
@fsbraun
fix: Fallback page names were not escaped (#8113) (#8114)
0590424
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@vinitkumar vinitkumar vinitkumar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fsbraun @vinitkumar
0