feat: add escape for all template output

2024-01-09 13:49:55 +08:00 · 2024-01-09 13:49:55 +08:00 · 9f63bab551
parent 2159c68688
commit 9f63bab551
7 changed files with 10 additions and 10 deletions
--- a/admin_frontend/templates/components/admin_sso_list.html
+++ b/admin_frontend/templates/components/admin_sso_list.html
@ -15,13 +15,13 @@
        <button
          class="button cyan"
          hx-target="#sso-list"
-          hx-get="/web/components/admin/sso/{{ sso_provider.id }}"
+          hx-get="/web/components/admin/sso/{{ sso_provider.id|escape }}"
        >
          More Info
        </button>
        <button
          class="deletUserBtn button red"
-          hx-delete="/web-api/admin/sso/{{ sso_provider.id }}"
+          hx-delete="/web-api/admin/sso/{{ sso_provider.id|escape }}"
          hx-confirm="Are you sure?"
          hx-target="closest tr"
          hx-swap="delete"
--- a/admin_frontend/templates/components/admin_top_menu_bar.html
+++ b/admin_frontend/templates/components/admin_top_menu_bar.html
@ -8,7 +8,7 @@
      hx-get="/web/components/user/user"
      class="button red"
    >
-      {{ user.email }}
+      {{ user.email|escape }}
    </div>
  </div>

--- a/admin_frontend/templates/components/admin_users.html
+++ b/admin_frontend/templates/components/admin_users.html
@ -14,13 +14,13 @@
        <button
          class="button cyan"
          hx-target="#admin-users"
-          hx-get="/web/components/admin/users/{{ user.id }}"
+          hx-get="/web/components/admin/users/{{ user.id|escape }}"
        >
          More Info
        </button>
        <button
          class="deletUserBtn button red"
-          hx-delete="/web-api/admin/user/{{ user.id }}"
+          hx-delete="/web-api/admin/user/{{ user.id|escape }}"
          hx-confirm="Are you sure?"
          hx-target="closest tr"
          hx-swap="delete"
--- a/admin_frontend/templates/components/top_menu_bar.html
+++ b/admin_frontend/templates/components/top_menu_bar.html
@ -8,7 +8,7 @@
      hx-get="/web/components/user/user"
      class="button cyan"
    >
-      {{ user.email }}
+      {{ user.email|escape }}
    </div>
  </div>

--- a/admin_frontend/templates/components/user_details.html
+++ b/admin_frontend/templates/components/user_details.html
@ -2,7 +2,7 @@
  <p>Email: {{ user.email|escape }}</p>
  <p>Role: {{ user.role|escape }}</p>
  <p>Phone: {{ user.phone|escape }}</p>
-  <p>Email Confirmed At: {{ user.email_confirmed_at|default("-") }}</p>
+  <p>Email Confirmed At: {{ user.email_confirmed_at|default("-")|escape }}</p>
  <p>Phone Confirmed At: {{ user.phone_confirmed_at|default("-")|escape }}</p>
  <p>Last Sign In At: {{ user.last_sign_in_at|default("-")|escape }}</p>
  <p>Created At: {{ user.created_at|escape }}</p>
--- a/admin_frontend/templates/layouts/base.html
+++ b/admin_frontend/templates/layouts/base.html
@ -4,7 +4,7 @@
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <link href="/assets/base.css" rel="stylesheet" />
    <link href="/assets/message.css" rel="stylesheet" />
-    <title>{% block title %}{{ title }}{% endblock %}</title>
+    <title>{% block title %}{{ title|escape }}{% endblock %}</title>
    <script
      src="https://unpkg.com/htmx.org@1.9.6"
      integrity="sha384-FhXw7b6AlE/jyjlZH5iHa/tTe9EpJ1Y55RjcgPbjeWMskSxZt1v9qkxLJWNJaGni"
--- a/admin_frontend/templates/pages/login.html
+++ b/admin_frontend/templates/pages/login.html
@ -75,10 +75,10 @@
      {% for provider in oauth_providers %}
      <div class="oauth-icon">
        <a
-          href="/gotrue/authorize?provider={{ provider }}&redirect_to=/web/login"
+          href="/gotrue/authorize?provider={{ provider|escape }}&redirect_to=/web/login"
        >
          <div
-            hx-get="../assets/{{ provider }}/logo.html"
+            hx-get="../assets/{{ provider/escape }}/logo.html"
            hx-trigger="load"
            hx-swap="outerHTML"
          ></div>