Bump WTForms and Flask-WTF to latest versions #4083
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WTForms versions less than 3.0.0 have a security vulnerability where arbitrary HTML can be inserted into the label of a form, allowing the possibility of a cross-site scripting attack. I don’t know if there’s anywhere we put user-generated content into form labels but it’s possible we are vulnerable somewhere. This require moving some imports because as of https://github.com/wtforms/wtforms/pull/614/files there is no longer a separate module for HTML 5 fields, they are now considered core fields. As of https://github.com/wtforms/wtforms/issues/445/files custom implementations of `pre_validate` or `post_validate` must raise `ValidationError` to trigger a validation message, where we were raising `ValueError` this was no longer being caught. As of https://github.com/wtforms/wtforms/pull/355/files `StringField` returns `None` for empty data, not `''` but our `validate_email_address` function only accepts strings.
CrystalPea
approved these changes
Nov 30, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WTForms versions less than 3.0.0 have a security vulnerability where arbitrary HTML can be inserted into the label of a form, allowing the possibility of a cross-site scripting attack.
See pallets-eco/wtforms@8529b95 for details.
I don’t know if there’s anywhere we put user-generated content into form labels but it’s possible we are vulnerable somewhere.
This require moving some imports because as of pallets-eco/wtforms#614 there is no longer a separate module for HTML 5 fields, they are now considered core fields.
As of pallets-eco/wtforms#445 custom implementations of
pre_validateorpost_validatemust raiseValidationErrorto trigger a validation message, where we were raisingValueErrorthis was no longer being caught.As of pallets-eco/wtforms#355
StringFieldreturnsNonefor empty data, not''but ourvalidate_email_addressfunction only accepts strings.