From 9a9c99da8139df3074f8a4f1ddc79b18c072de14 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Sat, 29 Feb 2020 22:03:11 -0500
Subject: [PATCH] views: Don't send app to template context

- Improves template security as methods of the app object can't be called from
within templates.

Tests performed:

- Visit a few app pages.

- For each of the following template files, ensure that 'app' variable is not
used:

  - app.html

  - All templates that extend app.html

  - Templates included from the above templates.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
---
 plinth/views.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/plinth/views.py b/plinth/views.py
index f98144a90..d13b97b70 100644
--- a/plinth/views.py
+++ b/plinth/views.py
@@ -190,7 +190,6 @@ class AppView(FormView):
         """Add service to the context data."""
         context = super().get_context_data(*args, **kwargs)
         context.update(self._get_common_status())
-        context['app'] = self.app  # XXX: Remove this for template security
         context['app_id'] = self.app.app_id
         context['is_running'] = app_is_running(self.app)
         context['app_info'] = self.app.info