nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-20 10:34:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

views: Don't send app to template context

Browse Source 
- Improves template security as methods of the app object can't be called from
within templates.

Tests performed:

- Visit a few app pages.

- For each of the following template files, ensure that 'app' variable is not
used:

  - app.html

  - All templates that extend app.html

  - Templates included from the above templates.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
This commit is contained in:
Sunil Mohan Adapa 2020-02-29 22:03:11 -05:00 committed by Veiko Aasa
parent 673bd367b0
commit 9a9c99da81
No known key found for this signature in database
GPG Key ID: 478539CAE680674E
1 changed files with 0 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
plinth/views.py
View File

@ -190,7 +190,6 @@ class AppView(FormView):
"""Add service to the context data.""" """Add service to the context data."""
context = super().get_context_data(*args, **kwargs) context = super().get_context_data(*args, **kwargs)
context.update(self._get_common_status()) context.update(self._get_common_status())
context['app'] = self.app # XXX: Remove this for template security
context['app_id'] = self.app.app_id context['app_id'] = self.app.app_id
context['is_running'] = app_is_running(self.app) context['is_running'] = app_is_running(self.app)
context['app_info'] = self.app.info context['app_info'] = self.app.info