Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(disclaimers): Split disclaimers #10902

Merged
merged 8 commits into from
Jan 23, 2025

Inc db-mig

564ccdc
Select commit
Loading
Failed to load commit list.
Merged

feat(disclaimers): Split disclaimers #10902

Inc db-mig
564ccdc
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Cross-Site Scripting Analyzer succeeded Jan 21, 2025 in 30s

DryRun Security

Details

Cross-Site Scripting Analyzer Findings: 8 detected

⚠️ Potential Cross-Site Scripting dojo/templates/dojo/product_endpoint_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it uses the safe filter to render the disclaimer variable without escaping. This means any HTML or JavaScript included in the disclaimer will be rendered directly, which could allow an attacker to inject malicious scripts.
Filename dojo/templates/dojo/product_endpoint_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/product_endpoint_pdf_report.html

Lines 119 to 125 in 564ccdc

{% if include_disclaimer%}
<div style="background-color:#DADCE2; border:1px #003333; padding:.8em; ">
<span style="font-size:16pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">Disclaimer</span><br/>
<p style="font-size:11pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">{{ disclaimer | safe }}</p>
</div>
{% endif %}
<div class="row">
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/endpoint_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it uses the safe filter to bypass Django's default escaping mechanism. This means that any user-supplied content in the disclaimer variable will be rendered as raw HTML without any sanitization, which could allow an attacker to inject malicious scripts.
Filename dojo/templates/dojo/endpoint_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/endpoint_pdf_report.html

Lines 81 to 87 in 564ccdc

{% if include_disclaimer%}
<div style="background-color:#DADCE2; border:1px #003333; padding:.8em; ">
<span style="font-size:16pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">Disclaimer</span><br/>
<p style="font-size:11pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">{{ disclaimer | safe }}</p>
</div>
{% endif %}
<div class="row">
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/product_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it uses the safe filter to bypass Django's default escaping mechanism. This means that any user-supplied content in the disclaimer variable will be rendered as raw HTML without any sanitization, which could allow an attacker to inject malicious scripts.
Filename dojo/templates/dojo/product_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/product_pdf_report.html

Lines 142 to 148 in 564ccdc

{% if include_disclaimer%}
<div style="background-color:#DADCE2; border:1px #003333; padding:.8em; ">
<span style="font-size:16pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">Disclaimer</span><br/>
<p style="font-size:11pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">{{ disclaimer | safe }}</p>
</div>
{% endif %}
<div class="row">
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/finding_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it uses the safe filter to bypass Django's default escaping mechanism. This means that any user-supplied content in the disclaimer variable will be rendered as raw HTML without any sanitization, which could allow an attacker to inject malicious scripts.
Filename dojo/templates/dojo/finding_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html

Lines 57 to 63 in 564ccdc

{% if include_disclaimer%}
<div style="background-color:#DADCE2; border:1px #003333; padding:.8em; ">
<span style="font-size:16pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">Disclaimer</span><br/>
<p style="font-size:11pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">{{ disclaimer | safe }}</p>
</div>
{% endif %}
<div class="row">
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/product_type_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it uses the safe filter to bypass Django's default escaping mechanism. This means that any user-supplied content in the disclaimer variable will be rendered as raw HTML without sanitization, which could allow an attacker to inject malicious scripts.
Filename dojo/templates/dojo/product_type_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/product_type_pdf_report.html

Lines 114 to 120 in 564ccdc

{% if include_disclaimer%}
<div style="background-color:#DADCE2; border:1px #003333; padding:.8em; ">
<span style="font-size:16pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">Disclaimer</span><br/>
<p style="font-size:11pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">{{ disclaimer | safe }}</p>
</div>
{% endif %}
<div class="row">
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/custom_html_report.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it uses the safe filter on the disclaimer variable, which bypasses Django's default escaping mechanism. If the disclaimer content is not properly sanitized before being passed to the template, it could allow malicious scripts to be injected and executed in the browser.
Filename dojo/templates/dojo/custom_html_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/custom_html_report.html

Lines 3 to 14 in 564ccdc

{% block content %}
{{ block.super }}
<div class="container" id="html_report">
{% if include_disclaimer %}
<div style="background-color:#DADCE2; border:1px #003333; padding:.8em; ">
<span style="font-size:16pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">Disclaimer</span><br/>
<p style="font-size:11pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">{{ disclaimer | safe }}</p>
</div>
{% endif %}
{% for widget in widgets %}
{{ widget.get_html }}
{% endfor %}
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/engagement_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it uses the safe filter to bypass Django's default escaping mechanism. This means that any user-supplied content in the disclaimer variable will be rendered as raw HTML without any sanitization, which could allow an attacker to inject malicious scripts.
Filename dojo/templates/dojo/engagement_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/engagement_pdf_report.html

Lines 158 to 164 in 564ccdc

{% if include_disclaimer%}
<div style="background-color:#DADCE2; border:1px #003333; padding:.8em; ">
<span style="font-size:16pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">Disclaimer</span><br/>
<p style="font-size:11pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">{{ disclaimer | safe }}</p>
</div>
{% endif %}
<div class="row">
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/test_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it uses the safe filter to bypass Django's default escaping mechanism. This means that any user-supplied content in the disclaimer variable will be rendered as raw HTML without any sanitization, which could allow an attacker to inject malicious scripts.
Filename dojo/templates/dojo/test_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/test_pdf_report.html

Lines 146 to 152 in 564ccdc

{% if include_disclaimer%}
<div style="background-color:#DADCE2; border:1px #003333; padding:.8em; ">
<span style="font-size:16pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">Disclaimer</span><br/>
<p style="font-size:11pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">{{ disclaimer | safe }}</p>
</div>
{% endif %}
<div class="row">
View more details on DryRunSecurity