Security: fix XSS and path traversal in uicore templatetags SACGF/variantgrid_private#3832

davmlaw · davmlaw · commit db139c5a06dc · 2026-04-02T10:44:12.000+10:30
- escapejs on user.username in JS string context (menu_bar_main.html)
- html.escape() on title attribute in severity_icon filter (ui_utils.py)
- Validate page_id with whitelist regex in page_help tag (ui_help.py)
diff --git a/uicore/templates/uicore/menus/menu_bar_main.html b/uicore/templates/uicore/menus/menu_bar_main.html
@@ -14,7 +14,7 @@
 {% menu_top 'variant_tags' app_name='variantopedia|variants|manual_variant_entry' title='Variants' %}
 {% menu_top 'annotation' app_name='annotation' title='Annotation' %}
 <a class="nav-link" target="_blank" href="{{ help_url }}">Help</a>
-<a id="suggestion" class="nav-link" data-toggle="tooltip" title="Suggestion / Bug Report" href="javascript:suggestionDialog('{{ user.username }}')"><i class="fas fa-bug mt-1"></i></a>
+<a id="suggestion" class="nav-link" data-toggle="tooltip" title="Suggestion / Bug Report" href="javascript:suggestionDialog('{{ user.username|escapejs }}')"><i class="fas fa-bug mt-1"></i></a>
 <!--
 <button type="button" style="color:#866" class="btn bg-transparent" data-toggle="modal" data-target="#vgReportModal"><i class="fas fa-bug mt-1"></i></button>
 -->
diff --git a/uicore/templatetags/ui_help.py b/uicore/templatetags/ui_help.py
@@ -1,4 +1,5 @@
 import os
+import re
 from typing import Optional
 
 from django import template
@@ -34,6 +35,9 @@ def page_help(page_id: str = None, title=None, show_title=True, header_tag="h3")
 
     help_url = settings.HELP_URL
     page_help_html = None
+    if page_id and not re.fullmatch(r'[\w\-]+', page_id):
+        report_message(f"page_help: invalid page_id {page_id!r}")
+        page_id = None
     page_help_path = f"page_help/{page_id}.html"
     page_help_filename = finders.find(page_help_path)
     file_exists = False
diff --git a/uicore/templatetags/ui_utils.py b/uicore/templatetags/ui_utils.py
@@ -398,7 +398,7 @@ def severity_icon(severity: str, title: Optional[str] = None) -> str:
     title_html = ""
     if title:
         classes.append('hover-detail')
-        title_html = f' title="{title}"'
+        title_html = f' title="{escape(title)}"'
 
     def severity_for(severity_part: str) -> Optional[list[str]]:
         match severity_part:
