From ea7abc28f90991cc73becd8e67d0621f62979d6a Mon Sep 17 00:00:00 2001
From: "pooya.oa" <pooya.oladazimi@tib.eu>
Date: Wed, 1 Jun 2022 12:57:54 +0200
Subject: [PATCH] protect against xss atack

---
 ckanext/dataset_reference/controllers/link_reference.py | 5 ++++-
 ckanext/dataset_reference/libs/helper.py                | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ckanext/dataset_reference/controllers/link_reference.py b/ckanext/dataset_reference/controllers/link_reference.py
index 61ae143..6232442 100644
--- a/ckanext/dataset_reference/controllers/link_reference.py
+++ b/ckanext/dataset_reference/controllers/link_reference.py
@@ -1,8 +1,9 @@
 # encoding: utf-8
 
-from flask import redirect, request, render_template
+from flask import redirect, request, render_template, Markup, escape
 from sqlalchemy.sql.expression import false, true
 from sqlalchemy.sql.operators import all_op
+from yaml import Mark
 import ckan.lib.helpers as h
 import ckan.plugins.toolkit as toolkit
 from ckanext.dataset_reference.models.package_reference_link import PackageReferenceLink
@@ -89,6 +90,8 @@ def get_publication(name):
             return_rows += Helper.create_table_row(meta_data, source.id, Helper.check_access_edit_package(package['id']))
         
         if return_rows != "":
+            return_rows = return_rows.replace("<script>", "")
+            return_rows = return_rows.replace("</script>", "")
             return return_rows
         
         return '0'
diff --git a/ckanext/dataset_reference/libs/helper.py b/ckanext/dataset_reference/libs/helper.py
index b57e46d..1a1a325 100644
--- a/ckanext/dataset_reference/libs/helper.py
+++ b/ckanext/dataset_reference/libs/helper.py
@@ -11,6 +11,7 @@
 from ckanext.dataset_reference.libs.citation_formatter import CitationFromatter
 from datetime import datetime as _time
 from bibtexparser.bparser import BibTexParser
+from flask import Markup
 
 
 Base_doi_api_url = "http://dx.doi.org/"
@@ -444,7 +445,7 @@ def get_month_list():
     '''
     def create_table_row(meta_data, object_id, is_auth_to_delete):
         row = '<tr>'
-        row = row +  '<td>' +  meta_data['cite'] + '</td>'   
+        row = row +  '<td>' + Markup.striptags(meta_data['cite']) + '</td>'   
         if meta_data['link'] and meta_data['link'] != '':      
             row = row +  '<td><a href="' +  meta_data['link'] + '" target="_blank">Link</a></td>'
         else: