diff --git a/swh/web/browse/utils.py b/swh/web/browse/utils.py --- a/swh/web/browse/utils.py +++ b/swh/web/browse/utils.py @@ -12,6 +12,7 @@ from django.core.cache import cache from django.utils.safestring import mark_safe +from django.utils.html import escape from importlib import reload @@ -489,7 +490,8 @@ attrs += '%s="%s" ' % (k, v) if not link_text: link_text = url - link = '%s' % (attrs, url, link_text) + link = '%s' \ + % (escape(attrs), escape(url), escape(link_text)) return mark_safe(link) @@ -923,7 +925,7 @@ if not snapshot_id: raise NotFoundExc('No snapshot associated to the visit of origin ' - '%s on %s' % (origin_url, fmt_date)) + '%s on %s' % (escape(origin_url), fmt_date)) # provided timestamp is not necessarily equals to the one # of the retrieved visit, so get the exact one in order diff --git a/swh/web/common/exc.py b/swh/web/common/exc.py --- a/swh/web/common/exc.py +++ b/swh/web/common/exc.py @@ -58,7 +58,7 @@ return render(request, 'error.html', {'error_code': error_code, 'error_message': http_status_code_message[error_code], - 'error_description': mark_safe(error_description)}, + 'error_description': error_description}, status=error_code) @@ -116,7 +116,8 @@ if isinstance(exc, NotFoundExc): error_code = 404 if html_response: - return _generate_error_page(request, error_code, error_description) + return _generate_error_page(request, error_code, + mark_safe(error_description)) else: return HttpResponse(error_description, content_type='text/plain', status=error_code)