www.dashboard: fix XSS

gip-inclusion · Dec 18, 2024 · e828102 · e828102
1 parent 839bb29
commit e828102
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/itou/common_apps/nir/forms.py b/itou/common_apps/nir/forms.py
@@ -1,6 +1,7 @@
 from django import forms
 from django.core.exceptions import NON_FIELD_ERRORS
 from django.forms import widgets
+from django.utils.html import format_html
 
 from itou.users.enums import LackOfNIRReason
 from itou.utils.urls import get_tally_form_url
@@ -50,9 +51,9 @@ def __init__(self, *args, editor=None, tally_form_query=None, **kwargs):
         tally_url = get_tally_form_url("wzxQlg")
         if tally_form_query is not None:
             tally_url += f"?{tally_form_query}"
-        tally_link = (
-            f'<a href="{tally_url}" target="_blank" rel="noopener">'
-            "Demander la correction du numéro de sécurité sociale</a>"
+        tally_link = format_html(
+            '<a href="{}" target="_blank" rel="noopener">Demander la correction du numéro de sécurité sociale</a>',
+            tally_url,
         )
 
         if self.initial.get("nir"):

diff --git a/tests/www/dashboard/test_edit_job_seeker_info.py b/tests/www/dashboard/test_edit_job_seeker_info.py
@@ -556,4 +556,4 @@ def test_xss(self, client):
         url = f"{url}?from_application={quote('"></a><blink>foobar</blink><a href="')}"
 
         response = client.get(url)
-        assertContains(response, "<blink>foobar</blink>", html=True)
+        assertNotContains(response, "<blink>foobar</blink>", html=True)