views/NotifierUpdate: Escape square brackets in global message

Despite of having added v-pre in the right place, for some reason it looks like that template is not being updated properly when re-running the Django app. Until we find a fix for that issue we are adding a simple ugly escape for square brackets to tackle the XSS problem.
line · Apr 25, 2024 · e72bb15 · e72bb15
1 parent a0814c2
commit e72bb15
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/promgen/views.py b/promgen/views.py
@@ -295,20 +295,41 @@ def get_context_data(self, **kwargs):
         context[obj.content_type.model] = obj.content_object
         return context
 
+    def escape_square_brackets(self, s):
+        return s.replace("[", "\[").replace("]", "\]")
+
     def post(self, request, pk):
         if "filter.pk" in request.POST:
             f = models.Filter.objects.get(pk=request.POST["filter.pk"])
             f.delete()
-            messages.success(request, f"Removed filter {f.name} {f.value}")
+            messages.success(
+                request,
+                "Removed filter {} {}".format(
+                    self.escape_square_brackets(f.name),
+                    self.escape_square_brackets(f.value)
+                )
+            )
         if "filter.name" in request.POST:
             obj = self.get_object()
             f, created = obj.filter_set.get_or_create(
                 name=request.POST["filter.name"], value=request.POST["filter.value"]
             )
             if created:
-                messages.success(request, f"Created filter {f.name} {f.value}")
+                messages.success(
+                    request,
+                    "Created filter {} {}".format(
+                        self.escape_square_brackets(f.name),
+                        self.escape_square_brackets(f.value)
+                    )
+                )
             else:
-                messages.warning(request, f"Updated filter {f.name} {f.value}")
+                messages.warning(
+                    request,
+                    "Updated filter {} {}".format(
+                        self.escape_square_brackets(f.name),
+                        self.escape_square_brackets(f.value)
+                    )
+                )
         if "next" in request.POST:
             return redirect(request.POST["next"])
         return self.get(self, request, pk)