8000 fix(data_import): sanitize preview data and filename by akhilnarang · Pull Request #31483 · frappe/frappe · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(data_import): sanitize preview data and filename #31483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 4, 2025
Merged

fix(data_import): sanitize preview data and filename #31483

merged 2 commits into from
Mar 4, 2025

Conversation

akhilnarang
Copy link
Member
@akhilnarang akhilnarang commented Mar 3, 2025
edited
Loading

Reference: support ticket 32961

Thanks to Houssam DRISSI <h.drissi@haysec.com> for reporting this.

@akhilnarang akhilnarang added backport version-14-hotfix backport to version 14 backport version-15-hotfix Backport the PR to v15 labels Mar 3, 2025
@akhilnarang
fix(import_preview): sanitize preview data
2a5b9e4 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
@akhilnarang
fix(attach): sanitise filename before display
3f48379 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
@akhilnarang akhilnarang changed the title fix(import_preview): sanitize preview data fix(data_import): sanitize preview data and filename Mar 3, 2025
@akhilnarang akhilnarang merged commit 2cc0ee2 into frappe:develop Mar 4, 2025
24 checks passed
This was referenced Mar 4, 2025
Merged
Merged
akhilnarang pushed a commit that referenced this pull request Mar 4, 2025
@mergify
Merge pull request #31496 from frappe/mergify/bp/version-14-hotfix/pr…
f11c53d 
…-31483

fix(data_import): sanitize preview data and filename (backport #31483)
akhilnarang added a commit that referenced this pull request Mar 4, 2025
@mergify @akhilnarang
fix(data_import): sanitize preview data and filename (backport #31483) (
152fd09 
#31497)

* fix(import_preview): sanitize preview data

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
(cherry picked from commit 2a5b9e4)

* fix(attach): sanitise filename before display

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
(cherry picked from commit 3f48379)

---------

Co-authored-by: Akhil Narang <me@akhilnarang.dev>
frappe-pr-bot pushed a commit that referenced this pull request Mar 4, 2025
@frappe-bot
chore(release): Bumped to Version 15.57.0
ef46d8d 
# [15.57.0](v15.56.1...v15.57.0) (2025-03-04)

### Bug Fixes

* add `check_doctype_permission` call ([da3bbd2](da3bbd2))
* add check for child doctype if it has a valid parent ([87c0eba](87c0eba))
* add custom column based on link column ([91dd7d9](91dd7d9))
* add duplicate file url if no file url ([7500de4](7500de4))
* allow disabling auto-dormancy, disable on self hosted (backport [#31377](#31377)) ([#31416](#31416)) ([22cb3c0](22cb3c0))
* Avoid setting prepared reports for errors ([#31484](#31484)) ([#31485](#31485)) ([3b44ab1](3b44ab1))
* better way to set value to filter ([b29fad0](b29fad0))
* Cache thrashing in workspace code ([#31446](#31446)) ([20b63f3](20b63f3))
* check `score` in response to set strength indicator ([#31384](#31384)) ([#31393](#31393)) ([5b55c3a](5b55c3a))
* check for running jobs before migrating (backport [#31438](#31438)) ([#31440](#31440)) ([f6158f6](f6158f6))
* check if duplicate_file url matches incoming file url ([4a9398d](4a9398d))
* check if filters are a dict ([55cb93e](55cb93e))
* cleanup copied methods and simpler fix ([af50504](af50504))
* cleanup save_file_on_filesystem method ([ce00b7d](ce00b7d))
* cleanup view file button ([6db061a](6db061a))
* Clearer message for setting default outgoing email account ([ea3669f](ea3669f))
* **data_import:** sanitize preview data and filename (backport [#31483](#31483)) ([#31497](#31497)) ([152fd09](152fd09))
* dont skip if any record is present ([46d4f45](46d4f45))
* duplicate field in filters [#24189](#24189) (Manual Backport) ([#31437](#31437)) ([1062562](1062562))
* **email_account:** select backend_app_flow when retrieving email_account ([8d8960c](8d8960c))
* ensure consistent error in response ([8dda865](8dda865))
* ensure correct context in `sys.exc_info` ([27d9a8c](27d9a8c))
* ensure exception is always returned ([4cefc7c](4cefc7c))
* Ensure that scheduled jobs don't start in maintenance_mode ([#31450](#31450)) ([#31456](#31456)) ([4b20b7b](4b20b7b))
* explicitly check type of form name ([37ced79](37ced79))
* fetch data from submitted child rows for global search indexing ([#31405](#31405)) ([#31407](#31407)) ([a08eb4b](a08eb4b))
* filter doesnt become null ([5245768](5245768))
* handle large URL on webhook logs (backport [#31428](#31428)) ([#31430](#31430)) ([9df7b4c](9df7b4c))
* handle total row properly while translating ([f930b8f](f930b8f))
* ignore `disable_traceback` if `_dev_server` is True ([2762609](2762609))
* merge conflict ([f3f9be0](f3f9be0))
* only translate strings ([53c23c3](53c23c3))
* **print:** handle custom format with custom module ([1347897](1347897))
* proper identation ([e2ed91e](e2ed91e))
* **quick_entry:** Show submit option only if User can (backport [#31457](#31457)) ([#31478](#31478)) ([28dd455](28dd455))
* redo some fixes to ensure cypress passes ([518b7dd](518b7dd))
* remove conflicts ([74695ac](74695ac))
* remove dev server condition ([90ba415](90ba415))
* remove flag to ensure some checks run ([dabf147](dabf147))
* remove more conflicts ([8a50d9b](8a50d9b))
* remove slashes from the report link in workspace card (backport [#25593](#25593)) ([#31270](#31270)) ([5e3e971](5e3e971))
* resolve conflicts ([5b125ab](5b125ab))
* restore older context ([5635b03](5635b03))
* **send_message:** escape HTML in the text ([80bf094](80bf094))
* simplify function and better naming ([07d8cb7](07d8cb7))
* template error on custom print format ([2bcea02](2bcea02))
* total_row is handled properly ([f328990](f328990))
* Translate Footer Items ([#31434](#31434)) ([b3c7da1](b3c7da1))
* translate total word ([052ddd2](052ddd2))
* typo in method name ([f909556](f909556))
* Unlock old locks automatically ([#31411](#31411)) ([#31412](#31412)) ([25d94ed](25d94ed))
* update doctype value ([2635fe2](2635fe2))
* Update phonenumber library to handle new GY phone number format ([9abb58d](9abb58d))
* update type hints to allow integers ([2514dfb](2514dfb))
* update whitelisted methods ([96ad342](96ad342))
* use the safe_file_name variable ([444e6f5](444e6f5))
* use total_row flag to check ([07efc8f](07efc8f))
* validate before resetting password from website ([0bbe3f6](0bbe3f6))
* **workflow_action:** Pass context as dict to render template ([68fbd90](68fbd90))

### Features

* OAuth 2.0. Allow including client_id in backend app auth request. ([d069329](d069329))
* set report filters from route options ([726ae43](726ae43))
* translate report data ([5829b5d](5829b5d))

### Performance Improvements

* Add prefix index for file_url ([#29185](#29185)) ([#31404](#31404)) ([9be4bbb](9be4bbb))
* cast int-link field filters to string ([#31396](#31396)) ([#31398](#31398)) ([09d5ec9](09d5ec9))
* get reqd fields only ([6cb30e3](6cb30e3))
* improved `DocStatus` API and other minor improvements (backport [#31389](#31389)) ([4f28676](4f28676))
* skip order by for open_count ([#31472](#31472)) ([#31481](#31481)) ([2722048](2722048))
@cogk cogk mentioned this pull request Mar 6, 2025
Merged
@akhilnarang akhilnarang deleted the data-import-xss branch March 6, 2025 14:11
This was referenced Mar 13, 2025
Merged
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 21, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
backport version-14-hotfix backport to version 14 backport version-15-hotfix Backport the PR to v15
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@akhilnarang
0