[UPDT] HORILLA: Update xss filter for common attempts

2025-08-22 10:41:20 +05:30
parent f25c6893c3
commit d8f6d52602
5 changed files with 14 additions and 8 deletions
--- a/base/models.py
+++ b/base/models.py
@@ -1176,7 +1176,6 @@ class HorillaMailTemplate(HorillaModel):
        verbose_name=_("Company"),
    )
    objects = HorillaCompanyManager(related_company_field="company_id")
-    xss_exempt_fields = ["body"]

    def __str__(self) -> str:
        return f"{self.title}"
--- a/biometric/templates/biometric/biometric_device_form.html
+++ b/biometric/templates/biometric/biometric_device_form.html
@@ -175,4 +175,4 @@
            }
        });
    });
-</script>
+</script>
--- a/helpdesk/models.py
+++ b/helpdesk/models.py
@@ -204,7 +204,6 @@ class Comment(HorillaModel):
        Employee, on_delete=models.DO_NOTHING, related_name="employee_comment"
    )
    date = models.DateTimeField(auto_now_add=True)
-    xss_exempt_fields = ["comment"]  # 850

    def __str__(self):
        return self.comment
--- a/horilla/models.py
+++ b/horilla/models.py
@@ -39,12 +39,21 @@ def url(self: FieldFile):
 setattr(FieldFile, "url", url)


-def has_xss(value):
-    """Basic check for common XSS patterns."""
+def has_xss(value: str) -> bool:
+    """Detect common XSS attempts (script tags, event handlers, js URLs)."""
    if not isinstance(value, str):
        return False
-    xss_pattern = re.compile(r"<.*?script.*?>|javascript:|on\w+=", re.IGNORECASE)
-    return bool(xss_pattern.search(value))
+
+    xss_patterns = [
+        r"<\s*script.*?>.*?<\s*/\s*script\s*>",
+        r"javascript\s*:",
+        r"on\w+\s*=",
+        r"<\s*script.*?>.*?(eval|setTimeout|setInterval|new\s+Function|XMLHttpRequest|fetch|\$\s*\().*?<\s*/\s*script\s*>",
+        r"on\w+\s*=\s*['\"]?\s*(eval|setTimeout|setInterval|new\s+Function|XMLHttpRequest|fetch|\$\s*\()[^>]*",
+    ]
+
+    combined = re.compile("|".join(xss_patterns), re.IGNORECASE | re.DOTALL)
+    return bool(combined.search(value))


 def upload_path(instance, filename):
--- a/recruitment/models.py
+++ b/recruitment/models.py
@@ -200,7 +200,6 @@ class Recruitment(HorillaModel):
        help_text=_("Resume not mandatory for candidate creation"),
        verbose_name=_("Optional Resume"),
    )
-    xss_exempt_fields = ["description"]  # 807

    class Meta:
        """