Skip to content

store more parameters in import settings #14673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rossops merged 1 commit into from
Apr 13, 2026

store more parameters in import settings

73e5f83
Select commit
Loading
Failed to load commit list.
Merged

store more parameters in import settings #14673

store more parameters in import settings
73e5f83
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Cross-Site Scripting Analyzer succeeded Apr 9, 2026 in 41s

DryRun Security

Details

Cross-Site Scripting Analyzer Findings: 1 detected

⚠️ Potential Cross-Site Scripting dojo/templatetags/display_tags.py (click for details)
Type Potential Cross-Site Scripting
Description The code builds an HTML string and returns it wrapped in Django's mark_safe after interpolating multiple values from test_import.import_settings. While each value is passed through esc(...), the final HTML is marked safe which bypasses Django auto-escaping; if esc does not reliably produce HTML-escaped (or otherwise context-appropriate escaped) strings for all inputs, user-controlled data could reach the HTML sink unescaped, causing XSS.
Filename dojo/templatetags/display_tags.py
CodeLink

django-DefectDojo/dojo/templatetags/display_tags.py

Lines 1123 to 1126 in 73e5f83

return mark_safe(html % (icon, color, icon, *common_fields, endpoints, *extra_fields))
return mark_safe(html % (icon, color, icon, *common_fields, esc(s.get("locations", None)), *extra_fields))
View more details on DryRunSecurity