Templates: Add v-pre to protect against XSS #501

line · Apr 24, 2024 · 975a37a · 975a37a
2 parents 56e9b04 + dcd4e37
commit 975a37a
Show file tree

Hide file tree

Showing 55 changed files with 125 additions and 125 deletions.
diff --git a/promgen/templates/base.html b/promgen/templates/base.html
@@ -5,7 +5,7 @@
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>{% block title %}Promgen {{ VERSION }}{% endblock %}</title>
+  <title v-pre>{% block title %}Promgen {{ VERSION }}{% endblock %}</title>
   <link rel="stylesheet" href="{% static 'css/bootstrap.min.css' %}">
   <link rel="stylesheet" href="{% static 'css/bootstrap-theme.min.css' %}">
   <link rel="stylesheet" href="{% static 'css/bootstrap-switch.min.css' %}">

diff --git a/promgen/templates/promgen/ajax_clause_check.html b/promgen/templates/promgen/ajax_clause_check.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 {% load promgen %}
-<div id="ajax-clause-check" class="panel panel-info">
+<div id="ajax-clause-check" class="panel panel-info" v-pre>
   <div class="panel-heading">Query Result</div>
   <div class="panel-body">
   <p>Query Duration: {{ duration }}</p>

diff --git a/promgen/templates/promgen/ajax_exporter.html b/promgen/templates/promgen/ajax_exporter.html
@@ -1,4 +1,4 @@
-<div id="{{target}}" class="panel panel-default">
+<div id="{{target}}" class="panel panel-default" v-pre>
   <table class="table">
     <tr>
       <th>URL</th>

diff --git a/promgen/templates/promgen/alert_detail.html b/promgen/templates/promgen/alert_detail.html
@@ -6,7 +6,7 @@
 
 <ul class="list-unstyled">
     {% for error in alert.alerterror_set.all %}
-    <li class="alert alert-danger" role="alert">
+    <li class="alert alert-danger" role="alert" v-pre>
         <span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
         {{error.message}}
         <span class="pull-right">{{error.created}}</span>
@@ -17,9 +17,9 @@
 <h2>Routing</h2>
 <dl class="dl-horizontal">
     {% for label, value in groupLabels.items %}
-    <dt>{{label}}</dt>
+    <dt v-pre>{{label}}</dt>
     <dd>
-        <a class="label label-warning" href="{% url 'alert-list' %}?{{label}}={{value}}">{{value}}</a>
+        <a class="label label-warning" href="{% url 'alert-list' %}?{{label}}={{value}}" v-pre>{{value}}</a>
         {% if label in redirects %}
         <a href="{% url 'search' %}?var-{{label}}={{value}}">Search</a>
         {% endif %}
@@ -34,9 +34,9 @@ <h2>Routing</h2>
 <h2>Additional Common Labels</h2>
 <dl class="dl-horizontal">
     {% for label, value in otherLabels.items %}
-    <dt>{{label}}</dt>
+    <dt v-pre>{{label}}</dt>
     <dd>
-        <a class="label label-warning" href="{% url 'alert-list' %}?{{label}}={{value}}">{{value}}</a>
+        <a class="label label-warning" href="{% url 'alert-list' %}?{{label}}={{value}}" v-pre>{{value}}</a>
         {% if label in redirects %}
         <a href="{% url 'search' %}?var-{{label}}={{value}}">Search</a>
         {% endif %}
@@ -47,12 +47,12 @@ <h2>Additional Common Labels</h2>
 <h2>Common Annotations</h2>
 <dl class="dl-horizontal">
     {% for label, value in data.commonAnnotations.items %}
-    <dt>{{label}}</dt>
-    <dd>{{value|urlize}}</dd>
+    <dt v-pre>{{label}}</dt>
+    <dd v-pre>{{value|urlize}}</dd>
     {% endfor %}
     {% if data.externalURL %}
     <dt>External URL</dt>
-    <dd>{{data.externalURL|urlizetrunc:100}}</dd>
+    <dd v-pre>{{data.externalURL|urlizetrunc:100}}</dd>
     {% endif %}
 </dl>
 
@@ -65,21 +65,21 @@ <h2>Alerts</h2>
     </tr>
     {% for alert in data.alerts %}
     <tr>
-        <td>{{alert.startsAt}}</td>
+        <td v-pre>{{alert.startsAt}}</td>
         <td>
             <ul>
                 {% for k,v in alert.labels.items|dictsort:0 %}
-                <a class="label label-warning" href="{% url 'alert-list' %}?{{k}}={{v}}">{{k}}:{{v}}</a>
+                <a class="label label-warning" href="{% url 'alert-list' %}?{{k}}={{v}}" v-pre>{{k}}:{{v}}</a>
                 {% endfor %}
             </ul>
         </td>
-        <td>{{alert.generatorURL|urlizetrunc:100}}</td>
+        <td v-pre>{{alert.generatorURL|urlizetrunc:100}}</td>
     </tr>
     {% endfor %}
 </table>
 
 <details>
     <summary>Raw Data</summary>
-    <pre>{{alert.json|pretty_json}}</pre>
+    <pre v-pre>{{alert.json|pretty_json}}</pre>
 </details>
 {% endblock %}
diff --git a/promgen/templates/promgen/alert_list.html b/promgen/templates/promgen/alert_list.html
@@ -26,16 +26,16 @@
     {% for alert in alert_list %}
     {% ifchanged alert.created|date %}
     <tr class="table-secondary">
-        <th colspan="8">{{ alert.created|date }}</th>
+        <th colspan="8" v-pre>{{ alert.created|date }}</th>
     </tr>
     {% endifchanged %}
     <tr>
-        <td><a href="{{alert.get_absolute_url}}">{{ alert.created|timezone:TIMEZONE }}</a></td>
-        <td><a href="?alertname={{alert.json.commonLabels.alertname}}">{{alert.json.commonLabels.alertname}}</a></td>
-        <td>{{alert.json.commonLabels.datasource}}</td>
-        <td><a href="?service={{alert.json.commonLabels.service}}">{{alert.json.commonLabels.service}}</a></td>
-        <td><a href="?project={{alert.json.commonLabels.project}}">{{alert.json.commonLabels.project}}</a></td>
-        <td><a href="?job={{alert.json.commonLabels.job}}">{{alert.json.commonLabels.job}}</a></td>
+        <td><a href="{{alert.get_absolute_url}}" v-pre>{{ alert.created|timezone:TIMEZONE }}</a></td>
+        <td><a href="?alertname={{alert.json.commonLabels.alertname}}" v-pre>{{alert.json.commonLabels.alertname}}</a></td>
+        <td v-pre>{{alert.json.commonLabels.datasource}}</td>
+        <td><a href="?service={{alert.json.commonLabels.service}}" v-pre>{{alert.json.commonLabels.service}}</a></td>
+        <td><a href="?project={{alert.json.commonLabels.project}}" v-pre>{{alert.json.commonLabels.project}}</a></td>
+        <td><a href="?job={{alert.json.commonLabels.job}}" v-pre>{{alert.json.commonLabels.job}}</a></td>
         <td {% if alert.sent_count == 0 %}class="warning" {% endif %}>{{alert.sent_count}}</td>
         <td {% if alert.error_count %}class="danger" {% endif %}>{{alert.error_count}}</td>
     </tr>

diff --git a/promgen/templates/promgen/audit_list.html b/promgen/templates/promgen/audit_list.html
@@ -7,7 +7,7 @@ <h1>Log</h1>
 </div>
 
 {% if request.GET %}
-<ul class="list-inline">
+<ul class="list-inline" v-pre>
   <li>Filters</li>
 {% for k in request.GET %}
 <li>
@@ -19,7 +19,7 @@ <h1>Log</h1>
 </ul>
 {% endif %}
 
-<div class="panel panel-default">
+<div class="panel panel-default" v-pre>
     <table class="table table-bordered table-condensed">
       <thead>
         <tr>

diff --git a/promgen/templates/promgen/error_block.html b/promgen/templates/promgen/error_block.html
@@ -1,13 +1,13 @@
 {% for error in warning %}
-<div class="alert alert-warning alert-dismissible" role="alert">
+<div class="alert alert-warning alert-dismissible" role="alert" v-pre>
     <span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
     <span class="sr-only">Warning:</span>
     <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
     {{error}}
 </div>
 {% endfor %}
 {% for error in danger %}
-<div class="alert alert-danger alert-dismissible" role="alert">
+<div class="alert alert-danger alert-dismissible" role="alert" v-pre>
     <span class="glyphicon glyphicon-alert" aria-hidden="true"></span>
     <span class="sr-only">Warning:</span>
     <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>

diff --git a/promgen/templates/promgen/exporter_form.html b/promgen/templates/promgen/exporter_form.html
@@ -3,7 +3,7 @@
 {% load promgen %}
 {% block content %}
 
-<div class="page-header">
+<div class="page-header" v-pre>
   <h1>Project: {{ project.name }}</h1>
 </div>
 
@@ -31,7 +31,7 @@ <h1>Project: {{ project.name }}</h1>
             If there are no other job names that make sense, <strong class="text-success">app</strong> can be used as a general substitute
           </p>
         </div>
-        <table class="table">
+        <table class="table" v-pre>
           {{ form.as_table }}
         </table>
         <div class="panel-footer">
@@ -59,7 +59,7 @@ <h1>Project: {{ project.name }}</h1>
           <input type="hidden" name="scheme" value="{{ default.scheme }}" />
           <input type="hidden" name="enabled" value="1" />
           <div class="input-group-btn">
-            <button style="width:80%" class="btn btn-primary">Register {{ default.job }} :{{ default.port }}{{ default.path }}</button>
+            <button style="width:80%" class="btn btn-primary" v-pre>Register {{ default.job }} :{{ default.port }}{{ default.path }}</button>
             <exporter-test class="btn btn-info" href="{% url 'exporter-scrape' project.id %}">
               {% trans "Test" %}
             </exporter-test>

diff --git a/promgen/templates/promgen/farm_detail.html b/promgen/templates/promgen/farm_detail.html
@@ -3,17 +3,17 @@
 
 {% block content %}
 
-<div class="page-header">
+<div class="page-header" v-pre>
   <h1>Farm: {{ farm.name }} ({{ farm.source }})</h1>
 </div>
 
-<ol class="breadcrumb">
+<ol class="breadcrumb" v-pre>
   <li><a href="{% url 'service-list' %}">Home</a></li>
   <li><a href="{% url 'farm-list' %}">Farms</a></li>
   <li class="active"><a href="{% url 'farm-detail' farm.id %}">{{ farm.name }}</a></li>
 </ol>
 
-<div class="row">
+<div class="row" v-pre>
 
 <div class="col-md-6">
   <div class="panel panel-default">

diff --git a/promgen/templates/promgen/farm_duplicate.html b/promgen/templates/promgen/farm_duplicate.html
@@ -7,7 +7,7 @@
   <li class="active">Convert Farm</li>
 </ol>
 
-<div class="panel panel-warning">
+<div class="panel panel-warning" v-pre>
   <div class="panel-heading">Error converting farm. Duplicate detected</div>
 
   <table class="table">

diff --git a/promgen/templates/promgen/farm_form.html b/promgen/templates/promgen/farm_form.html
@@ -2,18 +2,18 @@
 
 {% block content %}
 
-<div class="page-header">
+<div class="page-header" v-pre>
   <h1>Project: {{ project.name }}</h1>
 </div>
 
-<ol class="breadcrumb">
+<ol class="breadcrumb" v-pre>
   <li><a href="{% url 'service-list' %}">Home</a></li>
   <li><a href="{% url 'service-detail' project.service.id %}">{{ project.service.name }}</a></li>
   <li><a href="{% url 'project-detail' project.id %}">{{ project.name }}</a></li>
   <li class="active">{{ view.button_label }}</li>
 </ol>
 
-<form method="post">{% csrf_token %}
+<form method="post" v-pre>{% csrf_token %}
     {{ form.as_p }}
     <button class="btn btn-primary">{{ view.button_label }}</button>
 </form>

diff --git a/promgen/templates/promgen/farm_list.html b/promgen/templates/promgen/farm_list.html
@@ -12,7 +12,7 @@ <h1>Farms</h1>
 
 {% include "promgen/pagination.html" %}
 
-<div class="panel panel-default">
+<div class="panel panel-default" v-pre>
   <table class="table table-bordered table-condensed">
     <thead>
       <tr>

diff --git a/promgen/templates/promgen/global_messages.html b/promgen/templates/promgen/global_messages.html
@@ -1,5 +1,5 @@
 {% for message in messages %}
-<div class="alert {% if message.tags %}alert-{{ message.tags }}{% endif %}" role="alert">
+<div class="alert {% if message.tags %}alert-{{ message.tags }}{% endif %}" role="alert" v-pre>
     <button type="button" class="close" data-dismiss="alert">
         <span aria-hidden="true">&times;</span>
     </button>

diff --git a/promgen/templates/promgen/graph.html b/promgen/templates/promgen/graph.html
@@ -1,7 +1,7 @@
 {% extends "base.html" %}
 
 {% block content %}
-<div class="panel">
+<div class="panel" v-pre>
   <div class="panel-body">
     <form action="{{shard.url}}/graph">
       <dl class="dl-horizontal">

diff --git a/promgen/templates/promgen/host_404.html b/promgen/templates/promgen/host_404.html
@@ -3,16 +3,16 @@
 {% block title %}No hosts found for {{ slug }}{% endblock %}
 
 {% block content %}
-<div class="page-header">
+<div class="page-header" v-pre>
   <h1>Host: {{ slug }}</h1>
 </div>
 
-<ol class="breadcrumb">
+<ol class="breadcrumb" v-pre>
   <li><a href="{% url 'service-list' %}">Home</a></li>
   <li class="active">{{ slug }}</li>
 </ol>
 
-<div class="alert alert-danger" role="alert">
+<div class="alert alert-danger" role="alert" v-pre>
 No hosts found for {{ slug }}
 </div>
 {% endblock %}
diff --git a/promgen/templates/promgen/host_block.html b/promgen/templates/promgen/host_block.html
@@ -1,4 +1,4 @@
-<div class="row">
+<div class="row" v-pre>
 
 {% for project in host.farm.project_set.all %}
 <div class="col-md-6">

diff --git a/promgen/templates/promgen/host_detail.html b/promgen/templates/promgen/host_detail.html
@@ -2,11 +2,11 @@
 {% load i18n %}
 {% block content %}
 
-<div class="page-header">
+<div class="page-header" v-pre>
   <h1>Host: {{ slug }}</h1>
 </div>
 
-<ol class="breadcrumb">
+<ol class="breadcrumb" v-pre>
   <li><a href="{% url 'service-list' %}">Home</a></li>
   <li class="active">{{ slug }}</li>
 </ol>
@@ -29,7 +29,7 @@ <h1>Host: {{ slug }}</h1>
 
 <div class="row">
 
-<div class="col-sm-6"><div class="panel panel-primary">
+<div class="col-sm-6"><div class="panel panel-primary" v-pre>
   <div class="panel-heading">Farm</div>
   <table class="table">
     <tr>
@@ -43,7 +43,7 @@ <h1>Host: {{ slug }}</h1>
   </table>
 </div></div>
 
-<div class="col-sm-6"><div class="panel panel-primary">
+<div class="col-sm-6"><div class="panel panel-primary" v-pre>
   <div class="panel-heading">Project</div>
   <table class="table">
     <tr>
@@ -57,7 +57,7 @@ <h1>Host: {{ slug }}</h1>
   </table>
 </div></div>
 
-<div class="col-sm-6"><div class="panel panel-primary">
+<div class="col-sm-6"><div class="panel panel-primary" v-pre>
   <div class="panel-heading">Exporters</div>
   <table class="table">
     <tr>
@@ -79,7 +79,7 @@ <h1>Host: {{ slug }}</h1>
   </table>
 </div></div>
 
-<div class="col-sm-6"><div class="panel panel-primary">
+<div class="col-sm-6"><div class="panel panel-primary" v-pre>
   <div class="panel-heading">Notifiers</div>
   <table class="table">
     <tr>
@@ -106,7 +106,7 @@ <h1>Host: {{ slug }}</h1>
   <table class="table table-bordered table-condensed">
     {% include "promgen/rule_header.html" %}
     {% for service in service_list %}
-    <tr>
+    <tr v-pre>
       <td colspan="5">
         <h2>
           Rules from <a href="{{ service.grouper.get_absolute_url }}">{{ service.grouper }}</a>

diff --git a/promgen/templates/promgen/host_form.html b/promgen/templates/promgen/host_form.html
@@ -3,18 +3,18 @@
 
 {% block content %}
 
-<div class="page-header">
+<div class="page-header" v-pre>
   <h1>Farm: {{ farm.name }}</h1>
 </div>
 
-<ol class="breadcrumb">
+<ol class="breadcrumb" v-pre>
   <li><a href="{% url 'service-list' %}">Home</a></li>
   <li><a href="{% url 'service-detail' project.service.id %}">{{ project.service.name }}</a></li>
   <li><a href="{% url 'project-detail' project.id %}">{{ project.name }}</a></li>
   <li class="active">Add hosts to {{ farm.name }}</li>
 </ol>
 
-<form action="{% url 'hosts-add' farm.id %}" method="post">{% csrf_token %}
+<form action="{% url 'hosts-add' farm.id %}" method="post" v-pre>{% csrf_token %}
   <table>
     {{ form.as_table }}
   </table>

diff --git a/promgen/templates/promgen/host_list.html b/promgen/templates/promgen/host_list.html
@@ -20,7 +20,7 @@ <h1>Hosts</h1>
         </tr>
       </thead>
 {% for name, hosts in host_groups.items %}
-<tr>
+<tr v-pre>
   <td><a href="{% url 'host-detail' name %}">{{ name }}</a></td>
   <td>
     <ul>

diff --git a/promgen/templates/promgen/import_form.html b/promgen/templates/promgen/import_form.html
@@ -14,7 +14,7 @@ <h1>Import Configs</h1>
 <div class="panel panel-default">
   <div class="panel-heading">Import Targets</div>
   <div class="panel-body">
-    <form action="" method="post" enctype="multipart/form-data">{% csrf_token %}
+    <form action="" method="post" enctype="multipart/form-data" v-pre>{% csrf_token %}
         {{ form.as_p }}
         <button class="btn btn-primary">Import Targets</button>
     </form>