Merge pull request from GHSA-3vpf-mcj7-5h38

* feat: give the option to escape HTML in templates * fix: escape HTML in HTML DSR reports * fix: static checks * feat: use Jinja autoescape * docs: update changelog
ethyca · Nov 7, 2023 · 50360a0 · 50360a0
1 parent 5122e33
commit 50360a0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -53,6 +53,7 @@ The types of changes are:
 ## [2.23.0](https://github.com/ethyca/fides/compare/2.22.1...2.23.0)
 
 ### Added
+
 - Added support for 3 additional config variables in Fides.js: fidesEmbed, fidesDisableSaveApi, and fidesTcString [#4262](https://github.com/ethyca/fides/pull/4262)
 - Added support for fidesEmbed, fidesDisableSaveApi, and fidesTcString to be passed into Fides.js via query param, cookie, or window object [#4297](https://github.com/ethyca/fides/pull/4297)
 - New privacy center environment variables `FIDES_PRIVACY_CENTER__IS_FORCED_TCF` which can make the privacy center always return the TCF bundle (`fides-tcf.js`) [#4312](https://github.com/ethyca/fides/pull/4312)
@@ -69,6 +70,8 @@ The types of changes are:
 - Added served notice history IDs to the TCF privacy preference API calls [#4161](https://github.com/ethyca/fides/pull/4161)
 
 ### Fixed
+
+- Fix an HTML Injection vulnerability in DSR Packages
 - Cleans up CSS for fidesEmbed mode [#4306](https://github.com/ethyca/fides/pull/4306)
 - Stacks that do not have any purposes will no longer render an empty purpose block [#4278](https://github.com/ethyca/fides/pull/4278)
 - Forcing hidden sections to use display none [#4299](https://github.com/ethyca/fides/pull/4299)

diff --git a/src/fides/api/service/privacy_request/dsr_package/dsr_report_builder.py b/src/fides/api/service/privacy_request/dsr_package/dsr_report_builder.py
@@ -45,7 +45,9 @@ def pretty_print(value: str, indent: int = 4) -> str:
             return json.dumps(value, indent=indent, default=storage_json_encoder)
 
         jinja2.filters.FILTERS["pretty_print"] = pretty_print
-        self.template_loader = Environment(loader=FileSystemLoader(DSR_DIRECTORY))
+        self.template_loader = Environment(
+            loader=FileSystemLoader(DSR_DIRECTORY), autoescape=True
+        )
 
         # to pass in custom colors in the future
         self.template_data: Dict[str, Any] = {
@@ -75,7 +77,8 @@ def _populate_template(
         }
         report_data.update(self.template_data)
         template = self.template_loader.get_template(template_path)
-        return template.render(report_data)
+        rendered_template = template.render(report_data)
+        return rendered_template
 
     def _add_file(self, filename: str, contents: str) -> None:
         """Helper to add a file to the zip archive"""