Mercurial Repositories > eric / file revision
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/markupsafeMarkupXSS.py@2c773823fb7d
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/markupsafeMarkupXSS.py
Mon, 19 May 2025 14:33:49 +0200
- author
- Detlev Offenbach <detlev@die-offenbachs.de>
- date
- Mon, 19 May 2025 14:33:49 +0200
- branch
- eric7
- changeset 11297
- 2c773823fb7d
- child 11300
- 0119e3818e12
- permissions
- -rw-r--r--
Code Style Checker
- Updated the security checker to `bandit` v1.8.3.
# -*- coding: utf-8 -*- # Copyright (c) 2025 Detlev Offenbach <detlev@die-offenbachs.de> # """ Module implementing checks for potential XSS on markupsafe.Markup use. """ # # This is a modified version of the one found in the bandit package. # # Copyright (c) 2025 David Salvisberg # # SPDX-License-Identifier: Apache-2.0 # import ast from Security import SecurityUtils from Security.SecurityDefaults import SecurityDefaults def getChecks(): """ Public method to get a dictionary with checks handled by this module. @return dictionary containing checker lists containing checker function and list of codes @rtype dict """ return { "Call": [ (markupsafeMarkupXss, ("S-704",)), ], } def markupsafeMarkupXss(reportError, context, config): """ Function to check for potential XSS on markupsafe.Markup use. @param reportError function to be used to report errors @type func @param context security context object @type SecurityContext @param config dictionary with configuration data (unused) @type dict """ qualname = context.callFunctionNameQual if qualname not in ("markupsafe.Markup", "flask.Markup"): if qualname not in config.get( "extend_markup_names", SecurityDefaults["extend_markup_names"] ): # not a Markup call return None args = context.node.args if not args or isinstance(args[0], ast.Constant): # both no arguments and a constant are fine return None allowedCalls = config.get("allowed_calls", SecurityDefaults["allowed_calls"]) if ( allowedCalls and isinstance(args[0], ast.Call) and SecurityUtils.getCallName(args[0], context.importAliases) in allowedCalls ): # the argument contains a whitelisted call return None reportError( context.node.lineno - 1, context.node.col_offset, "S-704", "M", "H", qualname, context.callFunctionName, )
