fix css overflow issue - reports#14666
Conversation
|
This pull request modifies many Django PDF/report templates (dojo/templates/..._pdf_report.html and report_base.html), triggering configured-codepaths alerts for sensitive file edits and introducing widespread use of a custom markdown_render filter to render user-controlled finding fields — which the scanner flagged as a likely high/critical XSS risk because the filter implementation was not found and may emit unsanitized HTML. Review/verify the markdown_render implementation (or sanitize/escape output) and confirm allowed authors/paths in .dryrunsecurity.yaml before merging.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_endpoint_pdf_report.html (drs_172a3c78)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/test_pdf_report.html (drs_5a291792)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/endpoint_pdf_report.html (drs_abbf4547)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/engagement_pdf_report.html (drs_ed14fee3)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/finding_pdf_report.html (drs_beaa2b97)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_pdf_report.html (drs_0d5038e0)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_type_pdf_report.html (drs_e46fde54)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/endpoint_pdf_report.html (drs_b416abc0)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The templates apply a custom filter markdown_render to multiple user-controlled finding fields, which may output HTML. I attempted to locate the implementation of the markdown_render filter (to verify it performs proper sanitization/escaping) but could not find any templatetag or filter named markdown_render in the repository patch or templatetags modules. Without evidence that markdown_render sanitizes or escapes unsafe HTML, the use of it in templates that render user-controlled fields is a likely XSS risk. |
django-DefectDojo/dojo/templates/dojo/endpoint_pdf_report.html
Lines 185 to 188 in 8675647
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/product_type_pdf_report.html (drs_e2b9f95b)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates render model fields through a custom filter markdown_render. If that filter emits HTML, user-controlled data may reach the rendered output as raw HTML, enabling XSS unless the filter sanitizes or escapes output. The change wraps multiple finding fields with {{ ...markdown_render }} which is the likely source-to-sink path. |
django-DefectDojo/dojo/templates/dojo/product_type_pdf_report.html
Lines 219 to 222 in 8675647
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/product_type_pdf_report.html (drs_5e506fd9)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were changed to render many finding fields using a custom filter markdown_render. If that filter returns raw HTML without proper sanitization or escaping, user-controlled markdown can result in XSS when injected into the report templates. |
django-DefectDojo/dojo/templates/dojo/product_type_pdf_report.html
Lines 238 to 241 in 8675647
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/endpoint_pdf_report.html (drs_799c0391)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were changed to render user-controlled finding fields using a custom filter markdown_render. If markdown_render outputs raw HTML (i.e., bypasses Django auto-escaping) and does not sanitize input appropriately, user input could reach the HTML sink unescaped, causing XSS. |
django-DefectDojo/dojo/templates/dojo/endpoint_pdf_report.html
Lines 206 to 209 in 8675647
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/finding_pdf_report.html (drs_77a3a5db)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were changed to render several finding fields through a custom filter 'markdown_render'. If that filter returns HTML without proper sanitization or marks content as safe, user-controlled input could reach the HTML sink and produce XSS. |
django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html
Lines 164 to 167 in 8675647
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/finding_pdf_report.html (drs_314018cf)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates apply a custom template filter 'markdown_render' to multiple user-controllable finding fields. If that filter emits raw HTML without sanitization, user input can reach the rendered output as HTML, resulting in XSS. The patch adds many instances of {{ ... markdown_render }} inside templates. |
django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html
Lines 183 to 201 in 8675647
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/product_endpoint_pdf_report.html (drs_d8dccd15)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were changed to render several finding fields using a custom filter markdown_render. If that filter returns raw HTML (or allows unsanitized tags/attributes) user-controlled content could reach the template unescaped, enabling XSS. Verification requires checking the implementation of the markdown_render template filter to confirm proper sanitization/escaping. |
django-DefectDojo/dojo/templates/dojo/product_endpoint_pdf_report.html
Lines 252 to 273 in 8675647
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/product_pdf_report.html (drs_e172863d)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The templates render user-controlled finding fields through a custom template filter markdown_render. If that filter converts Markdown to HTML and then marks output safe without proper sanitization, it could allow XSS. We inspected the repository to locate the filter implementation to verify whether it sanitizes output before marking it safe. |
django-DefectDojo/dojo/templates/dojo/product_pdf_report.html
Lines 311 to 314 in 8675647
We've notified @mtesauro.
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
|
re: dryrun. Likely a false positive XSS alerts (8 red/orange): The scanner flagged
This is the same |
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
I wonder if we really need these test cases? If we make tests for everything then soon we will have a very long running test suite. wdyt?
ever heard of regression testing 😉 |
|
But this introduces multiple tests just to see if there's is one html pre tag not nested somewhere as it may introduce a small layout rendering thing. I think this is too small a thing to have so many tests. |
6 participants
Summary
PDF reports have a text wrapping bug where multi-line finding fields (description, mitigation, impact, steps to reproduce, etc.) overflow past page margins and get cut off when printed to PDF. This is especially common with findings imported from tools like BugCrowd CSV, which embed
<pre>tags in the field data.Root cause (two issues):
Missing overflow-wrap: The pre CSS in
report_base.htmlhad word-break: normal but no overflow-wrap: break-word, so long unbroken strings (URLs, tokens, encoded data) would not wrap at the container boundary.Nested
<pre>tags: All 7 PDF report templates wrapped markdown_render output in<pre>tags. When imported finding data already contained<pre>tags (e.g.<pre data-language="plain">), this produced nested<pre><pre>...</pre></pre>elements. The inner<pre>could pick up default browser styles (overflow: auto, scrollbars) that override the report CSS, causing content to clip or scroll instead of wrapping.Fix:
<pre>wrappers around all markdown_render calls with<div class="report-field">across all 7 PDF report templates — eliminates the nesting problem<pre>tags<pre class="raw_request">tags untouched — those correctly wrap raw request/response data that isn't markdown-rendered