Skip to content

fix css overflow issue - reports #14666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rossops merged 7 commits into from
Apr 20, 2026

Merge branch 'bugfix' into report-css-fix

8675647
Select commit
Loading
Failed to load commit list.
Merged

fix css overflow issue - reports #14666

Merge branch 'bugfix' into report-css-fix
8675647
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Cross-Site Scripting Analyzer succeeded Apr 17, 2026 in 5s

DryRun Security

Details

Cross-Site Scripting Analyzer Findings: 8 detected

⚠️ Potential Cross-Site Scripting dojo/templates/dojo/endpoint_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The templates apply a custom filter markdown_render to multiple user-controlled finding fields, which may output HTML. I attempted to locate the implementation of the markdown_render filter (to verify it performs proper sanitization/escaping) but could not find any templatetag or filter named markdown_render in the repository patch or templatetags modules. Without evidence that markdown_render sanitizes or escapes unsafe HTML, the use of it in templates that render user-controlled fields is a likely XSS risk.
Filename dojo/templates/dojo/endpoint_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/endpoint_pdf_report.html

Lines 185 to 188 in 8675647

<div class="report-field">{{ finding.description|markdown_render }}</div>
{% if finding.mitigation %}
<h6>Mitigation</h6>
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/endpoint_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description Templates were changed to render user-controlled finding fields using a custom filter markdown_render. If markdown_render outputs raw HTML (i.e., bypasses Django auto-escaping) and does not sanitize input appropriately, user input could reach the HTML sink unescaped, causing XSS.
Filename dojo/templates/dojo/endpoint_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/endpoint_pdf_report.html

Lines 206 to 209 in 8675647

<div class="report-field">{{ finding.impact|markdown_render }}</div>
{% endif %}
{% if finding.steps_to_reproduce %}
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/finding_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description Templates were changed to render several finding fields through a custom filter 'markdown_render'. If that filter returns HTML without proper sanitization or marks content as safe, user-controlled input could reach the HTML sink and produce XSS.
Filename dojo/templates/dojo/finding_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html

Lines 164 to 167 in 8675647

<div class="report-field">{{ finding.description|markdown_render }}</div>
{% if finding.mitigation %}
<h6>Mitigation</h6>
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/finding_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description Templates apply a custom template filter 'markdown_render' to multiple user-controllable finding fields. If that filter emits raw HTML without sanitization, user input can reach the rendered output as HTML, resulting in XSS. The patch adds many instances of {{ ...
Filename dojo/templates/dojo/finding_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html

Lines 183 to 201 in 8675647

{% if finding.impact %}
<h6>Impact</h6>
<div class="report-field">{{ finding.impact|markdown_render }}</div>
{% endif %}
{% if finding.steps_to_reproduce %}
<h6>Steps to Reproduce</h6>
<div class="report-field">{{ finding.steps_to_reproduce|markdown_render }}</div>
{% endif %}
{% if finding.severity_justification %}
<h6>Severity Justification</h6>
<div class="report-field">{{ finding.severity_justification|markdown_render }}</div>
{% endif %}
{% if finding.references %}
<h6>References</h6>
<div class="report-field">{{ finding.references|markdown_render }}</div>
{% endif %}
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/product_endpoint_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description Templates were changed to render several finding fields using a custom filter markdown_render. If that filter returns raw HTML (or allows unsanitized tags/attributes) user-controlled content could reach the template unescaped, enabling XSS. Verification requires checking the implementation of the markdown_render template filter to confirm proper sanitization/escaping.
Filename dojo/templates/dojo/product_endpoint_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/product_endpoint_pdf_report.html

Lines 252 to 273 in 8675647

{% if finding.impact %}
<h6>Impact</h6>
<div class="report-field">{{ finding.impact|markdown_render }}</div>
{% endif %}
{% if finding.steps_to_reproduce %}
<h6>Steps to Reproduce</h6>
<div class="report-field">{{ finding.steps_to_reproduce|markdown_render }}</div>
{% endif %}
{% if finding.severity_justification %}
<h6>Severity Justification</h6>
<div class="report-field">{{ finding.severity_justification|markdown_render }}</div>
{% endif %}
{% if finding.references %}
<h6>References</h6>
<div class="report-field">{{ finding.references|markdown_render }}</div>
{% endif %}
{% if include_finding_images %}
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/product_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description The templates render user-controlled finding fields through a custom template filter markdown_render. If that filter converts Markdown to HTML and then marks output safe without proper sanitization, it could allow XSS. We inspected the repository to locate the filter implementation to verify whether it sanitizes output before marking it safe.
Filename dojo/templates/dojo/product_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/product_pdf_report.html

Lines 311 to 314 in 8675647

<div class="report-field">{{ finding.impact|markdown_render }}</div>
{% endif %}
{% if finding.steps_to_reproduce %}
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/product_type_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description Templates render model fields through a custom filter markdown_render. If that filter emits HTML, user-controlled data may reach the rendered output as raw HTML, enabling XSS unless the filter sanitizes or escapes output. The change wraps multiple finding fields with `{{ ...
Filename dojo/templates/dojo/product_type_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/product_type_pdf_report.html

Lines 219 to 222 in 8675647

<div class="report-field">{{ finding.description|markdown_render }}</div>
{% if finding.mitigation %}
<h6>Mitigation</h6>
⚠️ Potential Cross-Site Scripting dojo/templates/dojo/product_type_pdf_report.html (click for details)
Type Potential Cross-Site Scripting
Description Templates were changed to render many finding fields using a custom filter markdown_render. If that filter returns raw HTML without proper sanitization or escaping, user-controlled markdown can result in XSS when injected into the report templates.
Filename dojo/templates/dojo/product_type_pdf_report.html
CodeLink

django-DefectDojo/dojo/templates/dojo/product_type_pdf_report.html

Lines 238 to 241 in 8675647

{% if finding.impact %}
<h6>Impact</h6>
<div class="report-field">{{ finding.impact|markdown_render }}</div>
{% endif %}
View more details on DryRunSecurity