From 60b90603420f950f88d1f491d04ff4f6307abca4 Mon Sep 17 00:00:00 2001 From: Ethan Soergel Date: Thu, 5 Dec 2024 16:33:33 -0500 Subject: [PATCH] Check whether vals need to be escaped This also circumvents the issue described here: https://github.com/dimagi/commcare-hq/security/code-scanning/393 --- corehq/apps/app_manager/views/forms.py | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/corehq/apps/app_manager/views/forms.py b/corehq/apps/app_manager/views/forms.py index ffea9f35e409..b94c4ff6b3b6 100644 --- a/corehq/apps/app_manager/views/forms.py +++ b/corehq/apps/app_manager/views/forms.py @@ -1,6 +1,7 @@ import hashlib import json import logging +from xml.sax.saxutils import escape from django.conf import settings from django.contrib import messages @@ -109,8 +110,8 @@ ) from corehq.apps.data_dictionary.util import ( add_properties_to_data_dictionary, - get_case_property_description_dict, get_case_property_deprecated_dict, + get_case_property_description_dict, ) from corehq.apps.domain.decorators import ( LoginAndDomainMixin, @@ -406,18 +407,13 @@ def should_edit(attribute): if should_edit('custom_instances'): instances = json.loads(request.POST.get('custom_instances')) - try: # validate that custom instances can be added into the XML - for instance in instances: - etree.fromstring( - "".format( - instance.get('instanceId'), - instance.get('instancePath') + for instance in instances: + for key in ['instanceId', 'instancePath']: + val = instance.get(key) + if val != escape(val): + raise AppMisconfigurationError( + _("'{val}' is an invalid custom instance {key}").format(val=val, key=key) ) - ) - except etree.XMLSyntaxError as error: - raise AppMisconfigurationError( - _("There was an issue with your custom instances: {}").format(error) - ) form.custom_instances = [ CustomInstance(