Fix XSS js injection

2017-11-17 15:23:25 +01:00
parent f1a47e7766
commit 971cde093c
4 changed files with 11 additions and 9 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -25,6 +25,7 @@ Fixed
  if the user dn was not found. This was causing the exception
  ``'NoneType' object has no attribute 'getitem'`` describe in #21
 * Increase the max size of usernames (30 chars to 250)
+* Fix XSS js injection



--- a/cas_server/templates/cas_server/base.html
+++ b/cas_server/templates/cas_server/base.html
@@ -58,7 +58,7 @@
                        class="alert alert-danger"
                    {% endif %}
                {% endspaceless %}>
-                    <p>{{message|safe}}</p>
+                    <p>{{message}}</p>
                </div>
            {% endfor %}
            {% if auto_submit %}</noscript>{% endif %}
--- a/cas_server/templates/cas_server/logout.html
+++ b/cas_server/templates/cas_server/logout.html
@@ -2,6 +2,6 @@
 {% load staticfiles %}
 {% load i18n %}
 {% block content %}
-<div class="alert alert-success" role="alert">{{logout_msg|safe}}</div>
+<div class="alert alert-success" role="alert">{{logout_msg}}</div>
 {% endblock %}

--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -23,6 +23,7 @@ from django.views.decorators.csrf import csrf_exempt
 from django.middleware.csrf import CsrfViewMiddleware
 from django.views.generic import View
 from django.utils.encoding import python_2_unicode_compatible
+from django.utils.safestring import mark_safe

 import re
 import logging
@@ -181,24 +182,24 @@ class LogoutView(View, LogoutMixin):
        else:
            # build logout message depending of the number of sessions the user logs out
            if session_nb == 1:
-                logout_msg = _(
+                logout_msg = mark_safe(_(
                    "<h3>Logout successful</h3>"
                    "You have successfully logged out from the Central Authentication Service. "
                    "For security reasons, close your web browser."
-                )
+                ))
            elif session_nb > 1:
-                logout_msg = _(
+                logout_msg = mark_safe(_(
                    "<h3>Logout successful</h3>"
-                    "You have successfully logged out from %s sessions of the Central "
+                    "You have successfully logged out from %d sessions of the Central "
                    "Authentication Service. "
                    "For security reasons, close your web browser."
-                ) % session_nb
+                ) % session_nb)
            else:
-                logout_msg = _(
+                logout_msg = mark_safe(_(
                    "<h3>Logout successful</h3>"
                    "You were already logged out from the Central Authentication Service. "
                    "For security reasons, close your web browser."
-                )
+                ))

            # depending of settings, redirect to the login page with a logout message or display
            # the logout page. The default is to display tge logout page.