-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Htmx #204
Htmx #204
Conversation
expense detail page
displaying a success messsage
"expense_edit_perm": can_edit_expense(expense, request.user)}) | ||
else: | ||
message = ("Transition %s is not allowed" % target_state) | ||
return HttpResponse(message) |
Check warning
Code scanning / CodeQL
Reflected server-side cross-site scripting Medium
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the reflected server-side cross-site scripting vulnerability, we need to escape the target_state
value before including it in the message
string. This can be done using Django's built-in escaping functions. Specifically, we can use django.utils.html.escape
to ensure that any potentially malicious input is properly escaped before being rendered in the HTTP response.
-
Copy modified lines R275-R276
@@ -274,3 +274,4 @@ | ||
else: | ||
message = ("Transition %s is not allowed" % target_state) | ||
from django.utils.html import escape | ||
message = ("Transition %s is not allowed" % escape(target_state)) | ||
return HttpResponse(message) |
view that prevent effective deletion
use htmx for mission archiving and expense update