fix: ticket xss inject

fix: 修复删除数据库由于端口数量限制导致不能删除的问题
fix: 修复测试邮箱服务器字段为null的问题
2025-12-15 16:42:34 +00:00 · 2022-12-12 17:03:56 +08:00 · 2022-11-16 21:04:39 +08:00 · 2022-11-14 16:23:44 +08:00
3 changed files with 23 additions and 12 deletions
--- a/apps/settings/serializers/email.py
+++ b/apps/settings/serializers/email.py
@@ -10,8 +10,8 @@ __all__ = ['MailTestSerializer', 'EmailSettingSerializer', 'EmailContentSettingS


 class MailTestSerializer(serializers.Serializer):
-    EMAIL_FROM = serializers.CharField(required=False, allow_blank=True)
-    EMAIL_RECIPIENT = serializers.CharField(required=False, allow_blank=True)
+    EMAIL_FROM = serializers.CharField(required=False, allow_null=True, allow_blank=True)
+    EMAIL_RECIPIENT = serializers.CharField(required=False, allow_null=True, allow_blank=True)


 class EmailSettingSerializer(serializers.Serializer):
--- a/apps/terminal/utils/db_port_mapper.py
+++ b/apps/terminal/utils/db_port_mapper.py
@@ -51,22 +51,23 @@ class DBPortManager(object):

    def pop(self, db: Application):
        mapper = self.get_mapper()
-        to_delete_port = self.get_port_by_db(db)
+        to_delete_port = self.get_port_by_db(db, raise_exception=False)
        mapper.pop(to_delete_port, None)
        self.set_mapper(mapper)

-    def get_port_by_db(self, db):
+    def get_port_by_db(self, db, raise_exception=True):
        mapper = self.get_mapper()
        for port, db_id in mapper.items():
            if db_id == str(db.id):
                return port
-        error = _(
-            'No available port is matched. '
-            'The number of databases may have exceeded the number of ports '
-            'open to the database agent service, '
-            'Contact the administrator to open more ports.'
-        )
-        raise JMSException(error)
+        if raise_exception:
+            error = _(
+                'No available port is matched. '
+                'The number of databases may have exceeded the number of ports '
+                'open to the database agent service, '
+                'Contact the administrator to open more ports.'
+            )
+            raise JMSException(error)

    def get_db_by_port(self, port):
        try:
--- a/apps/tickets/handlers/base.py
+++ b/apps/tickets/handlers/base.py
@@ -1,3 +1,5 @@
+from html import escape
+
 from django.utils.translation import ugettext as _
 from django.template.loader import render_to_string

@@ -96,11 +98,19 @@ class BaseHandler:
        approve_info = _('{} {} the ticket').format(user_display, state_display)
        context = self._diff_prev_approve_context(state)
        context.update({'approve_info': approve_info})
+        body = self.reject_html_script(
+            render_to_string('tickets/ticket_approve_diff.html', context)
+        )
        data = {
-            'body': render_to_string('tickets/ticket_approve_diff.html', context),
+            'body': body,
            'user': user,
            'user_display': str(user),
            'type': 'state',
            'state': state
        }
        return self.ticket.comments.create(**data)
+
+    @staticmethod
+    def reject_html_script(unsafe_html):
+        safe_html = escape(unsafe_html)
+        return safe_html
Author	SHA1	Message	Date
feng	305935967e	fix: ticket xss inject	2022-12-12 17:03:56 +08:00
Jiangjie.Bai	782efc5f54	fix: 修复删除数据库由于端口数量限制导致不能删除的问题	2022-11-16 21:04:39 +08:00
Jiangjie.Bai	7aec5336d3	fix: 修复测试邮箱服务器字段为null的问题	2022-11-14 16:23:44 +08:00