From e828102809a4fb347af17ddf2ee72b0bcd8bd3fd Mon Sep 17 00:00:00 2001 From: Xavier Fernandez Date: Wed, 18 Dec 2024 09:57:44 +0100 Subject: [PATCH] www.dashboard: fix XSS --- itou/common_apps/nir/forms.py | 7 ++++--- tests/www/dashboard/test_edit_job_seeker_info.py | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/itou/common_apps/nir/forms.py b/itou/common_apps/nir/forms.py index 68548740c0..fbd3bca7f6 100644 --- a/itou/common_apps/nir/forms.py +++ b/itou/common_apps/nir/forms.py @@ -1,6 +1,7 @@ from django import forms from django.core.exceptions import NON_FIELD_ERRORS from django.forms import widgets +from django.utils.html import format_html from itou.users.enums import LackOfNIRReason from itou.utils.urls import get_tally_form_url @@ -50,9 +51,9 @@ def __init__(self, *args, editor=None, tally_form_query=None, **kwargs): tally_url = get_tally_form_url("wzxQlg") if tally_form_query is not None: tally_url += f"?{tally_form_query}" - tally_link = ( - f'' - "Demander la correction du numéro de sécurité sociale" + tally_link = format_html( + 'Demander la correction du numéro de sécurité sociale', + tally_url, ) if self.initial.get("nir"): diff --git a/tests/www/dashboard/test_edit_job_seeker_info.py b/tests/www/dashboard/test_edit_job_seeker_info.py index 67184b66f4..9de6b50c42 100644 --- a/tests/www/dashboard/test_edit_job_seeker_info.py +++ b/tests/www/dashboard/test_edit_job_seeker_info.py @@ -556,4 +556,4 @@ def test_xss(self, client): url = f"{url}?from_application={quote('">foobarfoobar", html=True) + assertNotContains(response, "foobar", html=True)