diff --git a/src/backend/InvenTree/build/templates/build/build_base.html b/src/backend/InvenTree/build/templates/build/build_base.html index 3223c7b3d8..37e13bf817 100644 --- a/src/backend/InvenTree/build/templates/build/build_base.html +++ b/src/backend/InvenTree/build/templates/build/build_base.html @@ -3,6 +3,7 @@ {% load static %} {% load i18n %} {% load generic %} +{% load barcode %} {% load inventree_extras %} {% block page_title %} @@ -277,7 +278,7 @@ src="{% static 'img/blank_image.png' %}" $('#show-qr-code').click(function() { showQRDialog( '{% trans "Build Order QR Code" escape %}', - '{{ build.barcode }}' + `{% clean_barcode build.barcode %}` ); }); diff --git a/src/backend/InvenTree/company/templates/company/supplier_part.html b/src/backend/InvenTree/company/templates/company/supplier_part.html index b723f1ef8b..daf2ca99d8 100644 --- a/src/backend/InvenTree/company/templates/company/supplier_part.html +++ b/src/backend/InvenTree/company/templates/company/supplier_part.html @@ -1,6 +1,7 @@ {% extends "page_base.html" %} {% load static %} {% load i18n %} +{% load barcode %} {% load inventree_extras %} {% block page_title %} @@ -303,7 +304,7 @@ onPanelLoad('supplier-part-notes', function() { $("#show-qr-code").click(function() { showQRDialog( '{% trans "Supplier Part QR Code" escape %}', - '{{ part.barcode }}' + `{% clean_barcode part.barcode %}` ); }); diff --git a/src/backend/InvenTree/order/templates/order/order_base.html b/src/backend/InvenTree/order/templates/order/order_base.html index ce9bc02fad..56b81f5ecd 100644 --- a/src/backend/InvenTree/order/templates/order/order_base.html +++ b/src/backend/InvenTree/order/templates/order/order_base.html @@ -2,6 +2,7 @@ {% load i18n %} {% load static %} +{% load barcode %} {% load inventree_extras %} {% load generic %} @@ -312,7 +313,7 @@ $("#export-order").click(function() { $('#show-qr-code').click(function() { showQRDialog( '{% trans "Purchase Order QR Code" escape %}', - '{{ order.barcode }}' + `{% clean_barcode order.barcode %}` ); }); diff --git a/src/backend/InvenTree/order/templates/order/return_order_base.html b/src/backend/InvenTree/order/templates/order/return_order_base.html index f4590c71eb..2867093e82 100644 --- a/src/backend/InvenTree/order/templates/order/return_order_base.html +++ b/src/backend/InvenTree/order/templates/order/return_order_base.html @@ -2,6 +2,7 @@ {% load i18n %} {% load static %} +{% load barcode %} {% load inventree_extras %} {% load generic %} @@ -257,7 +258,7 @@ $('#print-order-report').click(function() { $('#show-qr-code').click(function() { showQRDialog( '{% trans "Return Order QR Code" escape %}', - '{{ order.barcode }}' + `{% clean_barcode order.barcode %}` ); }); diff --git a/src/backend/InvenTree/order/templates/order/sales_order_base.html b/src/backend/InvenTree/order/templates/order/sales_order_base.html index 2a3e676e95..4f64decabd 100644 --- a/src/backend/InvenTree/order/templates/order/sales_order_base.html +++ b/src/backend/InvenTree/order/templates/order/sales_order_base.html @@ -2,6 +2,7 @@ {% load i18n %} {% load static %} +{% load barcode %} {% load inventree_extras %} {% load generic %} @@ -319,7 +320,7 @@ $('#print-order-report').click(function() { $('#show-qr-code').click(function() { showQRDialog( '{% trans "Sales Order QR Code" escape %}', - '{{ order.barcode }}' + `{% clean_barcode order.barcode %}` ); }); diff --git a/src/backend/InvenTree/part/templates/part/part_base.html b/src/backend/InvenTree/part/templates/part/part_base.html index b4b90e04c2..fdc3bf36d4 100644 --- a/src/backend/InvenTree/part/templates/part/part_base.html +++ b/src/backend/InvenTree/part/templates/part/part_base.html @@ -2,6 +2,7 @@ {% load static %} {% load i18n %} +{% load barcode %} {% load inventree_extras %} {% block sidebar %} @@ -451,7 +452,7 @@ $("#show-qr-code").click(function() { showQRDialog( '{% trans "Part QR Code" escape %}', - '{{ part.barcode|safe }}', + `{% clean_barcode part.barcode %}` ); }); diff --git a/src/backend/InvenTree/report/templatetags/barcode.py b/src/backend/InvenTree/report/templatetags/barcode.py index 85aeed953f..8b32576f5e 100644 --- a/src/backend/InvenTree/report/templatetags/barcode.py +++ b/src/backend/InvenTree/report/templatetags/barcode.py @@ -1,6 +1,7 @@ """Template tags for rendering various barcodes.""" from django import template +from django.utils.safestring import mark_safe import barcode as python_barcode import qrcode.constants as ECL @@ -26,6 +27,23 @@ def image_data(img, fmt='PNG'): return report.helpers.encode_image_base64(img, fmt) +@register.simple_tag() +def clean_barcode(data): + """Return a 'cleaned' string for encoding into a barcode / qrcode. + + - This function runs the data through bleach, and removes any malicious HTML content. + - Used to render raw barcode data into the rendered HTML templates + """ + from InvenTree.helpers import strip_html_tags + + cleaned_date = strip_html_tags(data) + + # Remove back-tick character (prevent injection) + cleaned_date = cleaned_date.replace('`', '') + + return mark_safe(cleaned_date) + + @register.simple_tag() def qrcode(data, **kwargs): """Return a byte-encoded QR code image. diff --git a/src/backend/InvenTree/stock/templates/stock/item_base.html b/src/backend/InvenTree/stock/templates/stock/item_base.html index fac0adf14d..772d95063d 100644 --- a/src/backend/InvenTree/stock/templates/stock/item_base.html +++ b/src/backend/InvenTree/stock/templates/stock/item_base.html @@ -3,6 +3,7 @@ {% load plugin_extras %} {% load inventree_extras %} {% load generic %} +{% load barcode %} {% load i18n %} {% load l10n %} @@ -534,7 +535,7 @@ $('#stock-edit-status').click(function () { $("#show-qr-code").click(function() { showQRDialog( '{% trans "Stock Item QR Code" escape %}', - '{{ item.barcode }}', + `{% clean_barcode item.barcode %}` ); }); diff --git a/src/backend/InvenTree/stock/templates/stock/location.html b/src/backend/InvenTree/stock/templates/stock/location.html index a2e34576ee..76b254f4d6 100644 --- a/src/backend/InvenTree/stock/templates/stock/location.html +++ b/src/backend/InvenTree/stock/templates/stock/location.html @@ -1,5 +1,6 @@ {% extends "stock/stock_app_base.html" %} {% load static %} +{% load barcode %} {% load inventree_extras %} {% load plugin_extras %} {% load i18n %} @@ -391,7 +392,7 @@ $('#show-qr-code').click(function() { showQRDialog( '{% trans "Stock Location QR Code" escape %}', - '{{ location.barcode }}' + `{% clean_barcode location.barcode %}` ); });