From 0668239dc6b44ef38e7a6c9f91f312fd4ca581cb Mon Sep 17 00:00:00 2001 From: David Lord Date: Thu, 2 May 2024 09:14:00 -0700 Subject: [PATCH] disallow invalid characters in keys to xmlattr filter Reference:https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb Conflict:NA --- Jinja2-2.11.2/CHANGES.rst | 6 ++++++ Jinja2-2.11.2/src/jinja2/filters.py | 23 ++++++++++++++++++----- Jinja2-2.11.2/tests/test_filters.py | 11 ++++++----- 3 files changed, 30 insertions(+), 10 deletions(-) diff --git a/Jinja2-2.11.2/CHANGES.rst b/Jinja2-2.11.2/CHANGES.rst index 6dfe912..2c7614b 100644 --- a/Jinja2-2.11.2/CHANGES.rst +++ b/Jinja2-2.11.2/CHANGES.rst @@ -1,5 +1,11 @@ .. currentmodule:: jinja2 +- The ``xmlattr`` filter does not allow keys with ``/`` solidus, ``>`` + greater-than sign, or ``=`` equals sign, in addition to disallowing spaces. + Regardless of any validation done by Jinja, user input should never be used + as keys to this filter, or must be separately validated first. + GHSA-h75v-3vvj-5mfj + Version 2.11.3 -------------- diff --git a/Jinja2-2.11.2/src/jinja2/filters.py b/Jinja2-2.11.2/src/jinja2/filters.py index eed8d8b..92592dc 100644 --- a/Jinja2-2.11.2/src/jinja2/filters.py +++ b/Jinja2-2.11.2/src/jinja2/filters.py @@ -204,15 +204,24 @@ def do_lower(s): """Convert a value to lowercase.""" return soft_unicode(s).lower() -_space_re = re.compile(r"\s", re.U) + +# Check for characters that would move the parser state from key to value. +# https://html.spec.whatwg.org/#attribute-name-state +_attr_key_re = re.compile(r"[\s/>=]", flags=re.U) @evalcontextfilter def do_xmlattr(_eval_ctx, d, autospace=True): """Create an SGML/XML attribute string based on the items in a dict. All values that are neither `none` nor `undefined` are automatically escaped: - If any key contains a space, this fails with a ``ValueError``. Values that - are neither ``none`` nor ``undefined`` are automatically escaped. + **Values** that are neither ``none`` nor ``undefined`` are automatically + escaped, safely allowing untrusted user input. + + User input should not be used as **keys** to this filter. If any key + contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals + sign, this fails with a ``ValueError``. Regardless of this, user input + should never be used as keys to this filter, or must be separately validated + first. .. sourcecode:: html+jinja `` greater-than sign, or ``=`` equals sign + are not allowed. + .. versionchanged:: 3.1.3 Keys with spaces are not allowed. """ @@ -240,8 +253,8 @@ def do_xmlattr(_eval_ctx, d, autospace=True): if value is None or isinstance(value, Undefined): continue - if _space_re.search(key) is not None: - raise ValueError("Spaces are not allowed in attributes: {}".format(key)) + if _attr_key_re.search(key) is not None: + raise ValueError("Invalid character in attribute name: {!r}".format(key)) items.append('{}="{}"'.format(escape(key), escape(value))) diff --git a/Jinja2-2.11.2/tests/test_filters.py b/Jinja2-2.11.2/tests/test_filters.py index 6e697f3..c34dd9d 100644 --- a/Jinja2-2.11.2/tests/test_filters.py +++ b/Jinja2-2.11.2/tests/test_filters.py @@ -440,11 +440,12 @@ class TestFilter(object): assert 'bar="23"' in out assert 'blub:blub="<?>"' in out - def test_xmlattr_key_with_spaces(self, env): - with pytest.raises(ValueError, match="Spaces are not allowed"): - env.from_string( - "{{ {'src=1 onerror=alert(1)': 'my_class'}|xmlattr }}" - ).render() + @pytest.mark.parametrize("sep", ("\t", "\n", "\f", " ", "/", ">", "=")) + def test_xmlattr_key_invalid(self, env, sep): + with pytest.raises(ValueError, match="Invalid character"): + env.from_string("{{ {key: 'my_class'}|xmlattr }}").render( + key="class{}onclick=alert(1)".format(sep) + ) def test_sort1(self, env): tmpl = env.from_string("{{ [2, 3, 1]|sort }}|{{ [2, 3, 1]|sort(true) }}") -- 2.33.0