fix(account/templatetags): user_display did not escape

Author: pennersr

ChangeLog.rst

@@ -1,10 +1,19 @@
-Upcoming
-********
+0.38.0 (2018-10-03)
+*******************
+
+Security notice
+---------------
+
+The ``{% user_display user %}`` tag did not escape properly. Depending on the
+username validation rules, this could lead to XSS issues.
+
 
 Note worthy changes
-------------------------------
+-------------------
+
+- New provider: Vimeo (OAuth2).
 
-- New translation: Basque.
+- New translations: Basque.
 
 
 0.37.1 (2018-08-27)

allauth/account/templatetags/account.py

@@ -6,25 +6,8 @@
 register = template.Library()
 
 
-class UserDisplayNode(template.Node):
-
-    def __init__(self, user, as_var=None):
-        self.user_var = template.Variable(user)
-        self.as_var = as_var
-
-    def render(self, context):
-        user = self.user_var.resolve(context)
-
-        display = user_display(user)
-
-        if self.as_var:
-            context[self.as_var] = display
-            return ""
-        return display
-
-
-@register.tag(name="user_display")
-def do_user_display(parser, token):
+@register.simple_tag(name='user_display')
+def user_display_tag(user):
     """
     Example usage::
 
@@ -38,15 +21,4 @@ def do_user_display(parser, token):
         {% endblocktrans %}
 
     """
-    bits = token.split_contents()
-    if len(bits) == 2:
-        user = bits[1]
-        as_var = None
-    elif len(bits) == 4:
-        user = bits[1]
-        as_var = bits[3]
-    else:
-        raise template.TemplateSyntaxError(
-            "'%s' takes either two or four arguments" % bits[0])
-
-    return UserDisplayNode(user, as_var)
+    return user_display(user)

allauth/account/tests.py

@@ -12,6 +12,7 @@
 from django.core.exceptions import ValidationError
 from django.db import models
 from django.http import HttpResponseRedirect
+from django.template import Context, Template
 from django.test.client import Client, RequestFactory
 from django.test.utils import override_settings
 from django.urls import reverse
@@ -1126,6 +1127,18 @@ def test_username_case_preserved(self):
         # TODO: Actually test something
         filter_users_by_username('camelcase', 'foobar')
 
+    def test_user_display(self):
+        user = get_user_model()(username='john<br/>doe')
+        expected_name = 'john&lt;br/&gt;doe'
+        templates = [
+            '{% load account %}{% user_display user %}',
+            '{% load account %}{% user_display user as x %}{{ x }}'
+        ]
+        for template in templates:
+            t = Template(template)
+            content = t.render(Context({'user': user}))
+            self.assertEqual(content, expected_name)
+
 
 class ConfirmationViewTests(TestCase):
     def _create_user(self, username='john', password='doe'):