From 4d004ce808f43ba596ad3d756e24f6a72eec056c Mon Sep 17 00:00:00 2001 From: Jonny Scholes Date: Mon, 4 Feb 2019 17:03:16 +1100 Subject: [PATCH] Add filter string character check to jinja2 image template tag --- CHANGELOG.txt | 1 + docs/releases/2.5.rst | 1 + wagtail/images/jinja2tags.py | 12 ++++++++++++ wagtail/images/tests/test_jinja2.py | 11 +++++++++++ 4 files changed, 25 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 44e06ac394..e8a0b68b5a 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -25,6 +25,7 @@ Changelog * Added edit / delete buttons to snippet index and "don't delete" option to confirmation screen, for consistency with pages (Kevin Howbrook) * Added support for Markdown shortcuts for inline formatting in rich text editor, e.g. `**` for bold, `_` for italic, etc. (Thibaud Colas) * Added name attributes to all built-in page action menu items (LB (Ben Johnston)) + * Added validation on the filter string to the Jinja2 image template tag (Jonny Scholes) * Fix: Set `SERVER_PORT` to 443 in `Page.dummy_request()` for HTTPS sites (Sergey Fedoseev) * Fix: Include port number in `Host` header of `Page.dummy_request()` (Sergey Fedoseev) * Fix: Validation error messages in `InlinePanel` no longer count towards `max_num` when disabling the 'add' button (Todd Dembrey, Thibaud Colas) diff --git a/docs/releases/2.5.rst b/docs/releases/2.5.rst index 2e6987cdb0..674ce76443 100644 --- a/docs/releases/2.5.rst +++ b/docs/releases/2.5.rst @@ -46,6 +46,7 @@ Other features * ``StreamField`` field blocks now accept a ``validators`` argument (Tom Usher) * Added edit / delete buttons to snippet index and "don't delete" option to confirmation screen, for consistency with pages (Kevin Howbrook) * Added name attributes to all built-in page action menu items (LB (Ben Johnston)) + * Added validation on the filter string to the Jinja2 image template tag (Jonny Scholes) Bug fixes diff --git a/wagtail/images/jinja2tags.py b/wagtail/images/jinja2tags.py index a65b474a3a..48bdcee2bf 100644 --- a/wagtail/images/jinja2tags.py +++ b/wagtail/images/jinja2tags.py @@ -1,13 +1,25 @@ +import re + +from django import template from jinja2.ext import Extension from .shortcuts import get_rendition_or_not_found from .templatetags.wagtailimages_tags import image_url +allowed_filter_pattern = re.compile(r"^[A-Za-z0-9_\-\.\|]+$") + + def image(image, filterspec, **attrs): if not image: return '' + if not allowed_filter_pattern.match(filterspec): + raise template.TemplateSyntaxError( + "filter specs in 'image' tag may only contain A-Z, a-z, 0-9, dots, hyphens, pipes and underscores. " + "(given filter: {})".format(filterspec) + ) + rendition = get_rendition_or_not_found(image, filterspec) if attrs: diff --git a/wagtail/images/tests/test_jinja2.py b/wagtail/images/tests/test_jinja2.py index 1b0559f378..05d1cc1e02 100644 --- a/wagtail/images/tests/test_jinja2.py +++ b/wagtail/images/tests/test_jinja2.py @@ -1,5 +1,6 @@ import os +from django import template from django.conf import settings from django.core import serializers from django.template import engines @@ -79,6 +80,16 @@ class TestImagesJinja(TestCase): 'missing image' ) + def test_invalid_character(self): + with self.assertRaises(template.TemplateSyntaxError): + self.render('{{ image(myimage, "fill-200×200") }}', {'myimage': self.image}) + + def test_chaining_filterspecs(self): + self.assertHTMLEqual( + self.render('{{ image(myimage, "width-200|jpegquality-40") }}', {'myimage': self.image}), + 'Test image'.format( + self.get_image_filename(self.image, "width-200.jpegquality-40"))) + def test_image_url(self): self.assertRegex( self.render('{{ image_url(myimage, "width-200") }}', {'myimage': self.image}),