From 51ff0e0b9ea54fe2b6deecdca3279bbb4af632c8 Mon Sep 17 00:00:00 2001 From: Michael Derynck Date: Fri, 13 Sep 2024 14:27:15 -0600 Subject: [PATCH] Revert "Fix link escaping in web template" (#5024) Reverts grafana/oncall#5019 Investigating alternatives, although we have a sanitize function called on the UI side we probably don't want to allow other html. --- .../templaters/web_templater.py | 2 +- .../alerts/tests/test_alert_group_renderer.py | 44 ------------------- 2 files changed, 1 insertion(+), 45 deletions(-) diff --git a/engine/apps/alerts/incident_appearance/templaters/web_templater.py b/engine/apps/alerts/incident_appearance/templaters/web_templater.py index 9902a9aa14..2598ca0dcf 100644 --- a/engine/apps/alerts/incident_appearance/templaters/web_templater.py +++ b/engine/apps/alerts/incident_appearance/templaters/web_templater.py @@ -15,7 +15,7 @@ def _postformat(self, templated_alert): if templated_alert.title: templated_alert.title = escape_html(self._slack_format_for_web(templated_alert.title)) if templated_alert.message: - message = self._slack_format_for_web(templated_alert.message) + message = escape_html(self._slack_format_for_web(templated_alert.message)) link_matches = re.findall(url_re, message) for idx, link in enumerate(link_matches): substitution = f"oncallsubstitutedlink{idx}marker" diff --git a/engine/apps/alerts/tests/test_alert_group_renderer.py b/engine/apps/alerts/tests/test_alert_group_renderer.py index 2521f8a8dc..8cc1249e9e 100644 --- a/engine/apps/alerts/tests/test_alert_group_renderer.py +++ b/engine/apps/alerts/tests/test_alert_group_renderer.py @@ -55,50 +55,6 @@ def test_render_web_alert_links( ) -@pytest.mark.parametrize( - "message, expected_result", - [ - ( - 'google', - '

google

', - ), - ( - 'google', - '

google

', - ), - ( - 'google', - '

google

', - ), - ("http://www.google.com/", '

http://www.google.com/

'), - ( - "[Hello](http://www.google.com)", - '

Hello

', - ), - ], -) -@pytest.mark.django_db -def test_render_web_postformat_html_a_links( - make_organization_and_user_with_slack_identities, - make_alert_receive_channel, - make_alert_group, - make_alert, - message, - expected_result, -): - organization, _, _, _ = make_organization_and_user_with_slack_identities() - alert_receive_channel = make_alert_receive_channel( - organization, - ) - alert_group = make_alert_group(alert_receive_channel) - - alert = make_alert(alert_group=alert_group, raw_request_data={"message": message}) - - templater = AlertWebTemplater(alert) - templated_alert = templater.render() - assert templated_alert.message == expected_result - - @pytest.mark.django_db def test_getattr_template( make_organization_and_user_with_slack_identities,