Skip to content

Do not escape org name twice#6550

Merged
zenmonkeykstop merged 1 commit intodevelopfrom
6357-fix-double-escape
Sep 21, 2022
Merged

Do not escape org name twice#6550
zenmonkeykstop merged 1 commit intodevelopfrom
6357-fix-double-escape

Conversation

@eaon
Copy link
Contributor

@eaon eaon commented Sep 19, 2022

Description of Changes

If InstanceConfig.organization_name is escaped before writing it to the database, we'd need to mark every use of it in the templates as | safe, which is more dubious than not escaping the database entry in the first place.

Fixes #6357

Testing

  • Log into JI with an admin user
  • Navigate to the Instance Configuration interface
  • Change the instance name to something that would be escaped (for example &s or ümläüts) and click Set Organization Name
  • When you get the Preferences saved. notification, none of the characters of the name you submitted are double-escaped
  • Navigate to the SI and verify the correct name is shown in the title

Checklist

  • I have written a test plan and validated it for this PR
  • These changes do not require documentation

@eaon eaon force-pushed the 6357-fix-double-escape branch from 553b89b to ed1196c Compare September 19, 2022 18:52
@eaon eaon marked this pull request as ready for review September 19, 2022 18:57
@eaon eaon requested a review from a team as a code owner September 19, 2022 18:57
@eaon eaon marked this pull request as draft September 19, 2022 19:12
@eaon
Do not escape org name twice
71a8b05 
If the entry is escaped, we'd need to mark every use of it in the
templates as `| safe` which is more dubious than not escaping the
database entry in the first place.

Fixes #6357
@eaon eaon force-pushed the 6357-fix-double-escape branch from ed1196c to 71a8b05 Compare September 19, 2022 19:43
@eaon eaon marked this pull request as ready for review September 19, 2022 20:05
@zenmonkeykstop zenmonkeykstop self-assigned this Sep 19, 2022
zenmonkeykstop
zenmonkeykstop approved these changes Sep 21, 2022
View reviewed changes
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test plan checks out, made a couple of attempts to try SQL injections which were shrugged off by SQLAlchemy without fuss!

@zenmonkeykstop zenmonkeykstop merged commit bee977b into develop Sep 21, 2022
@zenmonkeykstop zenmonkeykstop deleted the 6357-fix-double-escape branch September 21, 2022 15:18
@zenmonkeykstop zenmonkeykstop added this to the 2.5.0 milestone Sep 21, 2022
@cfm cfm mentioned this pull request Oct 13, 2022
Closed
@eaon eaon mentioned this pull request Oct 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zenmonkeykstop zenmonkeykstop zenmonkeykstop approved these changes

Assignees

@zenmonkeykstop zenmonkeykstop

Labels

None yet

Projects

None yet

Milestone

2.5.0

Development

Successfully merging this pull request may close these issues.

Organization name gets escaped twice

2 participants

@eaon @zenmonkeykstop