Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(contribs/gnodev/pkg/emitter): use html/template not text/template for HTML generation #3545

Merged
merged 1 commit into from
Jan 20, 2025
Merged

fix(contribs/gnodev/pkg/emitter): use html/template not text/template for HTML generation #3545

merged 1 commit into from
Jan 20, 2025

Conversation

odeke-em
Copy link
Contributor

This change uses html/template instead of text/template for HTML generation and also locks in tests to detect such subtle regressions and thus help prevent future cross-side scripting (XSS) attacks if later the scripts evolve and take in user input.

Fixes #3544

@Gno2D2
Copy link
Collaborator

Gno2D2 commented Jan 19, 2025
edited
Loading

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):
  • IGNORE the bot requirements for this PR (force green CI check)
  • The pull request description provides enough details (checked by @thehowl)
Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)

☑️ Contributor Actions:
  1. Fix any issues flagged by automated checks.
  2. Follow the Contributor Checklist to ensure your PR is ready for review.
    • Add new tests, or document why they are unnecessary.
    • Provide clear examples/screenshots, if necessary.
    • Update documentation, if required.
    • Ensure no breaking changes, or include BREAKING CHANGE notes.
    • Link related issues/PRs, where applicable.
☑️ Reviewer Actions:
  1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.
📚 Resources:
Debug
Automated Checks
Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 The pull request was created from a fork (head branch repo: odeke-em/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request
Manual Checks
**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

  • Any user with comment edit permission
The pull request description provides enough details

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 Not (🔴 Pull request author is a member of the team: core-contributors)
    └── 🟢 Not (🔴 Pull request author is user: dependabot[bot])

Can be checked by

  • team core-contributors

@odeke-em odeke-em force-pushed the gnodev-use-html-template-not-text-template branch from c014723 to 93d4261 Compare January 19, 2025 01:37
@odeke-em odeke-em changed the title security(contribs/gnodev/pkg/emitter): use html/template not text/template for HTML generation fix(contribs/gnodev/pkg/emitter): use html/template not text/template for HTML generation Jan 19, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 19, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

📢 Thoughts on this report? Let us know!

@odeke-em odeke-em force-pushed the gnodev-use-html-template-not-text-template branch from 93d4261 to f510ab5 Compare January 19, 2025 03:59
thehowl
thehowl approved these changes Jan 19, 2025
View reviewed changes
Copy link
Member

@thehowl thehowl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address the comment and any other CI errors, and we should be good to go. Thanks!

@odeke-em odeke-em force-pushed the gnodev-use-html-template-not-text-template branch 3 times, most recently from 77f6d15 to 6d86add Compare January 19, 2025 23:29
@odeke-em
fix(contribs/gnodev/pkg/emitter): use html/template not text/template…
99f8025 
… for HTML generation

This change uses html/template instead of text/template for HTML
generation and also locks in tests to detect such subtle regressions
and thus help prevent future cross-side scripting (XSS) attacks
if later the scripts evolve and take in user input.

Fixes gnolang#3544
@odeke-em odeke-em force-pushed the gnodev-use-html-template-not-text-template branch from 6d86add to 99f8025 Compare January 20, 2025 01:30
@odeke-em
Copy link
Contributor Author

Done and thank you @thehowl

@thehowl thehowl merged commit 4135ffe into gnolang:master Jan 20, 2025
77 checks passed
@odeke-em odeke-em deleted the gnodev-use-html-template-not-text-template branch January 20, 2025 08:42
@kristovatlas
Copy link
Contributor

Thank you for the contribution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thehowl thehowl thehowl approved these changes

Assignees

@odeke-em odeke-em

Labels
None yet
Projects
🧙‍♂️gno.land core team
Status: Done
Milestone
No milestone
4 participants
@odeke-em @Gno2D2 @kristovatlas @thehowl