Add filter string character check to jinja2 image template tag

2024-12-01 11:41:20 +01:00 · 2019-02-04 17:03:16 +11:00 · 2019-02-04 17:03:16 +11:00 · 4d004ce808
commit 4d004ce808
parent a98d6567dc
4 changed files with 25 additions and 0 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -25,6 +25,7 @@ Changelog
 * Added edit / delete buttons to snippet index and "don't delete" option to confirmation screen, for consistency with pages (Kevin Howbrook)
 * Added support for Markdown shortcuts for inline formatting in rich text editor, e.g. `**` for bold, `_` for italic, etc. (Thibaud Colas)
 * Added name attributes to all built-in page action menu items (LB (Ben Johnston))
+ * Added validation on the filter string to the Jinja2 image template tag (Jonny Scholes)
 * Fix: Set `SERVER_PORT` to 443 in `Page.dummy_request()` for HTTPS sites (Sergey Fedoseev)
 * Fix: Include port number in `Host` header of `Page.dummy_request()` (Sergey Fedoseev)
 * Fix: Validation error messages in `InlinePanel` no longer count towards `max_num` when disabling the 'add' button (Todd Dembrey, Thibaud Colas)
--- a/docs/releases/2.5.rst
+++ b/docs/releases/2.5.rst
@ -46,6 +46,7 @@ Other features
 * ``StreamField`` field blocks now accept a ``validators`` argument (Tom Usher)
 * Added edit / delete buttons to snippet index and "don't delete" option to confirmation screen, for consistency with pages (Kevin Howbrook)
 * Added name attributes to all built-in page action menu items (LB (Ben Johnston))
+ * Added validation on the filter string to the Jinja2 image template tag (Jonny Scholes)


 Bug fixes
--- a/wagtail/images/jinja2tags.py
+++ b/wagtail/images/jinja2tags.py
@ -1,13 +1,25 @@
+import re
+
+from django import template
 from jinja2.ext import Extension

 from .shortcuts import get_rendition_or_not_found
 from .templatetags.wagtailimages_tags import image_url


+allowed_filter_pattern = re.compile(r"^[A-Za-z0-9_\-\.\|]+$")
+
+
 def image(image, filterspec, **attrs):
    if not image:
        return ''

+    if not allowed_filter_pattern.match(filterspec):
+        raise template.TemplateSyntaxError(
+            "filter specs in 'image' tag may only contain A-Z, a-z, 0-9, dots, hyphens, pipes and underscores. "
+            "(given filter: {})".format(filterspec)
+        )
+
    rendition = get_rendition_or_not_found(image, filterspec)

    if attrs:
--- a/wagtail/images/tests/test_jinja2.py
+++ b/wagtail/images/tests/test_jinja2.py
@ -1,5 +1,6 @@
 import os

+from django import template
 from django.conf import settings
 from django.core import serializers
 from django.template import engines
@ -79,6 +80,16 @@ class TestImagesJinja(TestCase):
            '<img alt="missing image" src="/media/not-found" width="0" height="0">'
        )

+    def test_invalid_character(self):
+        with self.assertRaises(template.TemplateSyntaxError):
+            self.render('{{ image(myimage, "fill-200×200") }}', {'myimage': self.image})
+
+    def test_chaining_filterspecs(self):
+        self.assertHTMLEqual(
+            self.render('{{ image(myimage, "width-200|jpegquality-40") }}', {'myimage': self.image}),
+            '<img alt="Test image" src="{}" width="200" height="150">'.format(
+                self.get_image_filename(self.image, "width-200.jpegquality-40")))
+
    def test_image_url(self):
        self.assertRegex(
            self.render('{{ image_url(myimage, "width-200") }}', {'myimage': self.image}),