[CUI] Fix rendering issues for barcodes (#8286)

- Prevent barcode data from being "escaped" - Run through bleach to brevent malicious data injection
2025-10-27 11:27:39 +00:00 · 2024-10-15 14:50:29 +11:00
parent 14d92b8727
commit b1d9a23928
9 changed files with 34 additions and 8 deletions
--- a/src/backend/InvenTree/build/templates/build/build_base.html
+++ b/src/backend/InvenTree/build/templates/build/build_base.html
@@ -3,6 +3,7 @@
 {% load static %}
 {% load i18n %}
 {% load generic %}
+{% load barcode %}
 {% load inventree_extras %}

 {% block page_title %}
@@ -310,7 +311,7 @@ src="{% static 'img/blank_image.png' %}"
    $('#show-qr-code').click(function() {
        showQRDialog(
            '{% trans "Build Order QR Code" escape %}',
-            '{{ build.barcode }}'
+            `{% clean_barcode build.barcode %}`
        );
    });

--- a/src/backend/InvenTree/company/templates/company/supplier_part.html
+++ b/src/backend/InvenTree/company/templates/company/supplier_part.html
@@ -1,6 +1,7 @@
 {% extends "page_base.html" %}
 {% load static %}
 {% load i18n %}
+{% load barcode %}
 {% load inventree_extras %}

 {% block page_title %}
@@ -303,7 +304,7 @@ onPanelLoad('supplier-part-notes', function() {
 $("#show-qr-code").click(function() {
    showQRDialog(
        '{% trans "Supplier Part QR Code" escape %}',
-        '{{ part.barcode }}'
+        `{% clean_barcode part.barcode %}`
    );
 });

--- a/src/backend/InvenTree/order/templates/order/order_base.html
+++ b/src/backend/InvenTree/order/templates/order/order_base.html
@@ -2,6 +2,7 @@

 {% load i18n %}
 {% load static %}
+{% load barcode %}
 {% load inventree_extras %}
 {% load generic %}

@@ -333,7 +334,7 @@ $("#export-order").click(function() {
 $('#show-qr-code').click(function() {
    showQRDialog(
        '{% trans "Purchase Order QR Code" escape %}',
-        '{{ order.barcode }}'
+        `{% clean_barcode order.barcode %}`
    );
 });

--- a/src/backend/InvenTree/order/templates/order/return_order_base.html
+++ b/src/backend/InvenTree/order/templates/order/return_order_base.html
@@ -2,6 +2,7 @@

 {% load i18n %}
 {% load static %}
+{% load barcode %}
 {% load inventree_extras %}
 {% load generic %}

@@ -271,7 +272,7 @@ $('#print-order-report').click(function() {
 $('#show-qr-code').click(function() {
    showQRDialog(
        '{% trans "Return Order QR Code" escape %}',
-        '{{ order.barcode }}'
+        `{% clean_barcode order.barcode %}`
    );
 });

--- a/src/backend/InvenTree/order/templates/order/sales_order_base.html
+++ b/src/backend/InvenTree/order/templates/order/sales_order_base.html
@@ -2,6 +2,7 @@

 {% load i18n %}
 {% load static %}
+{% load barcode %}
 {% load inventree_extras %}
 {% load generic %}

@@ -337,7 +338,7 @@ $('#print-order-report').click(function() {
 $('#show-qr-code').click(function() {
    showQRDialog(
        '{% trans "Sales Order QR Code" escape %}',
-        '{{ order.barcode }}'
+        `{% clean_barcode order.barcode %}`
    );
 });

--- a/src/backend/InvenTree/part/templates/part/part_base.html
+++ b/src/backend/InvenTree/part/templates/part/part_base.html
@@ -2,6 +2,7 @@

 {% load static %}
 {% load i18n %}
+{% load barcode %}
 {% load inventree_extras %}

 {% block sidebar %}
@@ -458,7 +459,7 @@
    $("#show-qr-code").click(function() {
        showQRDialog(
            '{% trans "Part QR Code" escape %}',
-            '{{ part.barcode|safe }}',
+            `{% clean_barcode part.barcode %}`
        );
    });

--- a/src/backend/InvenTree/report/templatetags/barcode.py
+++ b/src/backend/InvenTree/report/templatetags/barcode.py
@@ -1,6 +1,7 @@
 """Template tags for rendering various barcodes."""

 from django import template
+from django.utils.safestring import mark_safe

 import barcode as python_barcode
 import qrcode.constants as ECL
@@ -26,6 +27,23 @@ def image_data(img, fmt='PNG'):
    return report.helpers.encode_image_base64(img, fmt)


+@register.simple_tag()
+def clean_barcode(data):
+    """Return a 'cleaned' string for encoding into a barcode / qrcode.
+
+    - This function runs the data through bleach, and removes any malicious HTML content.
+    - Used to render raw barcode data into the rendered HTML templates
+    """
+    from InvenTree.helpers import strip_html_tags
+
+    cleaned_date = strip_html_tags(data)
+
+    # Remove back-tick character (prevent injection)
+    cleaned_date = cleaned_date.replace('`', '')
+
+    return mark_safe(cleaned_date)
+
+
@register.simple_tag()
 def qrcode(data, **kwargs):
    """Return a byte-encoded QR code image.
--- a/src/backend/InvenTree/stock/templates/stock/item_base.html
+++ b/src/backend/InvenTree/stock/templates/stock/item_base.html
@@ -3,6 +3,7 @@
 {% load plugin_extras %}
 {% load inventree_extras %}
 {% load generic %}
+{% load barcode %}
 {% load i18n %}
 {% load l10n %}

@@ -530,7 +531,7 @@ $('#stock-edit-status').click(function () {
 $("#show-qr-code").click(function() {
    showQRDialog(
        '{% trans "Stock Item QR Code" escape %}',
-        '{{ item.barcode }}',
+        `{% clean_barcode item.barcode %}`
    );
 });

--- a/src/backend/InvenTree/stock/templates/stock/location.html
+++ b/src/backend/InvenTree/stock/templates/stock/location.html
@@ -1,5 +1,6 @@
 {% extends "stock/stock_app_base.html" %}
 {% load static %}
+{% load barcode %}
 {% load inventree_extras %}
 {% load plugin_extras %}
 {% load i18n %}
@@ -391,7 +392,7 @@
    $('#show-qr-code').click(function() {
        showQRDialog(
            '{% trans "Stock Location QR Code" escape %}',
-            '{{ location.barcode }}'
+            `{% clean_barcode location.barcode %}`
        );
    });