mirror of
https://github.com/netbox-community/netbox.git
synced 2025-07-25 18:08:38 -06:00
Merge pull request from GHSA-92x4-vfjf-rmf7
This commit is contained in:
Darek
GitHub
parent
c8988bac8a
commit
89fa546a14
@ -1,4 +1,5 @@
|
|||||||
import json
|
import json
|
||||||
|
import urllib.parse
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
@ -28,7 +29,7 @@ from netbox.models.features import (
|
|||||||
CloningMixin, CustomFieldsMixin, CustomLinksMixin, ExportTemplatesMixin, JobResultsMixin, TagsMixin, WebhooksMixin,
|
CloningMixin, CustomFieldsMixin, CustomLinksMixin, ExportTemplatesMixin, JobResultsMixin, TagsMixin, WebhooksMixin,
|
||||||
)
|
)
|
||||||
from utilities.querysets import RestrictedQuerySet
|
from utilities.querysets import RestrictedQuerySet
|
||||||
from utilities.utils import render_jinja2
|
from utilities.utils import clean_html, render_jinja2
|
||||||
|
|
||||||
__all__ = (
|
__all__ = (
|
||||||
'ConfigRevision',
|
'ConfigRevision',
|
||||||
@ -273,6 +274,18 @@ class CustomLink(CloningMixin, ExportTemplatesMixin, WebhooksMixin, ChangeLogged
|
|||||||
link = render_jinja2(self.link_url, context)
|
link = render_jinja2(self.link_url, context)
|
||||||
link_target = ' target="_blank"' if self.new_window else ''
|
link_target = ' target="_blank"' if self.new_window else ''
|
||||||
|
|
||||||
|
# Sanitize link text
|
||||||
|
allowed_schemes = get_config().ALLOWED_URL_SCHEMES
|
||||||
|
text = clean_html(text, allowed_schemes)
|
||||||
|
|
||||||
|
# Sanitize link
|
||||||
|
link = urllib.parse.quote_plus(link, safe='/:?&')
|
||||||
|
|
||||||
|
# Verify link scheme is allowed
|
||||||
|
result = urllib.parse.urlparse(link)
|
||||||
|
if result.scheme and result.scheme not in allowed_schemes:
|
||||||
|
link = ""
|
||||||
|
|
||||||
return {
|
return {
|
||||||
'text': text,
|
'text': text,
|
||||||
'link': link,
|
'link': link,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user