Hotfix/sanitize toasts

backend/core/serializers.py

@@ -1,6 +1,7 @@
 from typing import Any
 from ciso_assistant.settings import EMAIL_HOST, EMAIL_HOST_RESCUE
 
+
 from core.models import *
 from iam.models import *
 
@@ -10,7 +11,7 @@
 from django.db import models
 from core.serializer_fields import FieldsRelatedField
 
-import structlog
+import structlog, bleach
 
 logger = structlog.get_logger(__name__)
 
@@ -52,6 +53,14 @@ def create(self, validated_data: Any):
             logger.error(e)
             raise serializers.ValidationError(e.args[0])
 
+    def validate_name(self, value):
+        clean_value = bleach.clean(value, tags=[], attributes={})
+        if clean_value != value:
+            raise serializers.ValidationError(
+                "The name must not contain characters from HTML tags or attributes."
+            )
+        return value
+
     class Meta:
         model: models.Model
 

backend/requirements.txt

@@ -19,3 +19,4 @@ python-dotenv==1.0.1
 drf-spectacular==0.27.2
 django-rest-knox==4.2.0
 pre-commit==3.7.0
+bleach==6.1.0

frontend/messages/de.json

@@ -480,7 +480,7 @@
 	"passwordSuccessfullySetWelcome": "Ihr Passwort wurde erfolgreich festgelegt. Willkommen bei CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Warten Sie {timing} Sekunden, bevor Sie einen neuen Zurücksetzungslink anfordern",
 	"resetLinkSent": "Die Anfrage wurde erhalten, Sie sollten einen Zurücksetzungslink an die folgende Adresse erhalten: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "Der Status der Risikoakzeptanz: {riskAcceptance} erlaubt keine Bearbeitung",
+	"riskAcceptanceStateDoesntAllowEdit": "Der Status der Risikoakzeptanz erlaubt keine Bearbeitung",
 	"associatedRequirements": "Zugehörige Anforderungen",
 	"isPublished": "Ist veröffentlicht",
 	"suggestedReferenceControls": "Vorgeschlagene Referenzkontrollen",

frontend/messages/en.json

@@ -487,7 +487,7 @@
 	"passwordSuccessfullySetWelcome": "Your password has been successfully set. Welcome to CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Please wait {timing}sec before requesting a new reset link",
 	"resetLinkSent": "The request has been received, you should receive a reset link at the following address: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "The state of risk acceptance: {riskAcceptance} doesn't allow it to be edited",
+	"riskAcceptanceStateDoesntAllowEdit": "The state of risk acceptance doesn't allow it to be edited",
 	"associatedRequirements": "Associated requirements",
 	"isPublished": "Is published",
 	"suggestedReferenceControls": "Suggested reference controls",

frontend/messages/es.json

@@ -480,7 +480,7 @@
 	"passwordSuccessfullySetWelcome": "Su contraseña se ha establecido con éxito. ¡Bienvenido a CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Espere {timing} segundos antes de solicitar un nuevo enlace de restablecimiento",
 	"resetLinkSent": "Se ha recibido la solicitud, debe recibir un enlace de restablecimiento en la siguiente dirección: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "El estado de aceptación de riesgos: {riskAcceptance} no permite editarlo",
+	"riskAcceptanceStateDoesntAllowEdit": "El estado de aceptación de riesgos no permite editarlo",
 	"associatedRequirements": "Requisitos asociados",
 	"isPublished": "Está publicado",
 	"suggestedReferenceControls": "Controles de referencia sugeridos",

frontend/messages/fr.json

@@ -487,7 +487,7 @@
 	"passwordSuccessfullySetWelcome": "Votre mot de passe a été défini avec succès. Bienvenue sur CISO Assistant !",
 	"waitBeforeRequestingResetLink": "Veuillez patienter {timing}sec avant de demander un nouveau lien de réinitialisation.",
 	"resetLinkSent": "La demande a été reçue, vous devriez recevoir un lien de réinitialisation à l'adresse suivante : {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "L'état d'acceptation du risque : {riskAcceptance} ne permet pas de le modifier",
+	"riskAcceptanceStateDoesntAllowEdit": "L'état d'acceptation du risque ne permet pas de le modifier",
 	"associatedRequirements": "Exigences associées",
 	"isPublished": "Publié",
 	"suggestedReferenceControls": "Mesures de référence suggérées",

frontend/messages/it.json

@@ -480,7 +480,7 @@
 	"passwordSuccessfullySetWelcome": "La tua password è stata impostata con successo. Benvenuto in CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Attendi {timing} secondi prima di richiedere un nuovo link di reimpostazione",
 	"resetLinkSent": "La richiesta è stata ricevuta, dovresti ricevere un link di reimpostazione al seguente indirizzo: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "Lo stato di accettazione del rischio: {riskAcceptance} non consente la modifica",
+	"riskAcceptanceStateDoesntAllowEdit": "Lo stato di accettazione del rischio non consente la modifica",
 	"associatedRequirements": "Requisiti associati",
 	"isPublished": "È pubblicato",
 	"suggestedReferenceControls": "Controlli di riferimento suggeriti",

frontend/messages/nl.json

@@ -480,7 +480,7 @@
 	"passwordSuccessfullySetWelcome": "Je wachtwoord is succesvol ingesteld. Welkom bij CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Wacht {timing}sec voordat je een nieuwe resetlink aanvraagt",
 	"resetLinkSent": "Het verzoek is ontvangen, je zou een resetlink moeten ontvangen op het volgende adres: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "De staat van risicoacceptatie: {riskAcceptance} staat het niet toe om bewerkt te worden",
+	"riskAcceptanceStateDoesntAllowEdit": "De staat van risicoacceptatie staat het niet toe om bewerkt te worden",
 	"associatedRequirements": "Geassocieerde eisen",
 	"isPublished": "Is gepubliceerd",
 	"suggestedReferenceControls": "Voorgestelde referentiecontroles",

frontend/messages/pt.json

@@ -487,7 +487,7 @@
 	"passwordSuccessfullySetWelcome": "Sua senha foi definida com sucesso. Bem-vindo ao CISO Assistant!",
 	"waitBeforeRequestingResetLink": "Aguarde {timing} segundos antes de solicitar um novo link de redefinição",
 	"resetLinkSent": "A solicitação foi recebida, você deve receber um link de redefinição no seguinte endereço: {email}",
-	"riskAcceptanceStateDoesntAllowEdit": "O estado da aceitação de risco: {riskAcceptance} não permite que ele seja editado",
+	"riskAcceptanceStateDoesntAllowEdit": "O estado da aceitação de risco não permite que ele seja editado",
 	"associatedRequirements": "Requisitos associados",
 	"isPublished": "Está publicado",
 	"suggestedReferenceControls": "Controles de referência sugeridos",

frontend/src/lib/utils/helpers.ts

@@ -7,6 +7,19 @@ export function formatStringToDate(inputString: string, locale: string = 'en') {
 	});
 }
 
+export const escapeHTML = (str: string) =>
+	str.replace(
+		/[&<>'"]/g,
+		(tag) =>
+			({
+				'&': '&amp;',
+				'<': '&lt;',
+				'>': '&gt;',
+				"'": '&#39;',
+				'"': '&quot;'
+			}[tag] || tag)
+	);
+
 export const isURL = (url: string) => {
 	try {
 		new URL(url);

frontend/src/routes/(app)/[model=urlmodel]/[id=uuid]/edit/+layout.server.ts

@@ -29,7 +29,7 @@ export const load: LayoutServerLoad = async (event) => {
 			setFlash(
 				{
 					type: 'error',
-					message: m.riskAcceptanceStateDoesntAllowEdit({ riskAcceptance: riskAcceptance.name })
+					message: m.riskAcceptanceStateDoesntAllowEdit()
 				},
 				event
 			);

frontend/src/routes/(app)/[model=urlmodel]/[id=uuid]/edit/+page.server.ts

@@ -93,8 +93,7 @@ export const actions: Actions = {
 			{
 				type: 'success',
 				message: m.successfullyUpdatedObject({
-					object: localItems()[toCamelCase(modelVerboseName.toLowerCase())].toLowerCase(),
-					name: form.data.name
+					object: localItems()[toCamelCase(modelVerboseName.toLowerCase())].toLowerCase()
 				})
 			},
 			event

frontend/src/routes/(app)/libraries/[id=urn]/+page.server.ts

@@ -32,7 +32,7 @@ export const actions: Actions = {
 			setFlash(
 				{
 					type: 'error',
-					message: localItems(languageTag())[resText]
+					message: localItems()[resText]
 				},
 				event
 			);

frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.server.ts

@@ -318,7 +318,7 @@ export const actions: Actions = {
 		setFlash(
 			{
 				type: 'success',
-				message: m.successfullyUpdatedObject({ object: model, name: form.data.name })
+				message: m.successfullyUpdatedObject({ object: model })
 			},
 			event
 		);

frontend/src/routes/(app)/risk-scenarios/[id=uuid]/edit/+page.server.ts

@@ -223,7 +223,7 @@ export const actions: Actions = {
 		setFlash(
 			{
 				type: 'success',
-				message: m.successfullyUpdatedObject({ object: modelVerboseName, name: form.data.name })
+				message: m.successfullyUpdatedObject({ object: modelVerboseName })
 			},
 			event
 		);
@@ -284,7 +284,7 @@ export const actions: Actions = {
 		setFlash(
 			{
 				type: 'success',
-				message: m.successfullyUpdatedObject({ object: model, name: form.data.name })
+				message: m.successfullyUpdatedObject({ object: model })
 			},
 			event
 		);

frontend/tests/utils/page-detail.ts

@@ -32,9 +32,8 @@ export class PageDetail extends BasePage {
 		await this.form.saveButton.click();
 
 		await this.isToastVisible(
-			'The .+: ' +
-				({ ...buildParams, ...editedValues }.name || { ...buildParams, ...editedValues }.email) +
-				' has been successfully updated'
+			'The .+' + { ...buildParams, ...editedValues }.email ??
+				'' + 'object has been successfully updated'
 		);
 		return editedValues;
 	}