From 9d7b9a4e18709bae4507f6d2fa673c5258fadd66 Mon Sep 17 00:00:00 2001
From: Boris Polonsky <BorisPolonsky@users.noreply.github.com>
Date: Fri, 5 Sep 2025 18:49:47 +0800
Subject: [PATCH 1/5] Fix XSS in pipeline field in `model_job.py`

---
 myapp/models/model_job.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/myapp/models/model_job.py b/myapp/models/model_job.py
index e8021a86..826adf34 100644
--- a/myapp/models/model_job.py
+++ b/myapp/models/model_job.py
@@ -196,7 +196,10 @@ def __repr__(self):
     @property
     def pipeline_url(self):
         pipeline_url="/pipeline_modelview/api/web/" +str(self.id)
-        return Markup(f'<a target=_blank href="{pipeline_url}">{self.describe}</a>')
+        # Escape the describe field to prevent XSS
+        from wtforms.widgets.core import escape_html
+        safe_describe = escape_html(self.describe)
+        return Markup(f'<a target=_blank href="{pipeline_url}">{safe_describe}</a>')
 
     @property
     def run_pipeline(self):

From 6fa2f49f793e80770a4606aed7598df1a9b427d5 Mon Sep 17 00:00:00 2001
From: Boris Polonsky <BorisPolonsky@users.noreply.github.com>
Date: Fri, 5 Sep 2025 18:56:24 +0800
Subject: [PATCH 2/5] Fix XSS in etl_pipeline_url field in
 `model_etl_pipeline.py`

---
 myapp/models/model_etl_pipeline.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/myapp/models/model_etl_pipeline.py b/myapp/models/model_etl_pipeline.py
index c192d4aa..d80c7e87 100644
--- a/myapp/models/model_etl_pipeline.py
+++ b/myapp/models/model_etl_pipeline.py
@@ -38,7 +38,10 @@ def __repr__(self):
     @property
     def etl_pipeline_url(self):
         pipeline_url="/etl_pipeline_modelview/api/web/" +str(self.id)
-        return Markup(f'<a target=_blank href="{pipeline_url}">{self.describe}</a>')
+        # Escape the describe field to prevent XSS
+        from wtforms.widgets.core import escape_html
+        safe_describe = escape_html(self.describe)
+        return Markup(f'<a target=_blank href="{pipeline_url}">{safe_describe}</a>')
 
 
     def clone(self):

From 31ce6d8f8f4f0e25e55b48fc5829621b9955bc12 Mon Sep 17 00:00:00 2001
From: Boris Polonsky <BorisPolonsky@users.noreply.github.com>
Date: Fri, 5 Sep 2025 19:10:38 +0800
Subject: [PATCH 3/5] Fix XSS in `model_notebook.py` and view_notebook.py`

---
 myapp/models/model_notebook.py | 4 +++-
 myapp/views/view_notebook.py   | 5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/myapp/models/model_notebook.py b/myapp/models/model_notebook.py
index 980c4dc3..306c178e 100644
--- a/myapp/models/model_notebook.py
+++ b/myapp/models/model_notebook.py
@@ -83,7 +83,9 @@ def name_url(self):
             else:
                 url = "/notebook/" + self.namespace + "/" + self.name + "/lab?#" + self.mount
                 # url = '/notebook/jupyter/%s/lab/tree/mnt/%s'%(self.name,self.created_by.username)
-        return Markup(f'<a target=_blank href="{host}{url}">{self.name}</a>')
+        from wtforms.widgets.core import escape_html
+        safe_name = escape_html(self.name)
+        return Markup(f'<a target=_blank href="{host}{url}">{safe_name}</a>')
 
     @property
     def ide_type_html(self):
diff --git a/myapp/views/view_notebook.py b/myapp/views/view_notebook.py
index c4cf56a9..5a29026d 100644
--- a/myapp/views/view_notebook.py
+++ b/myapp/views/view_notebook.py
@@ -308,7 +308,10 @@ def template_str(src_str):
             notebook.project = project
             notebook.project_id = project.id
             notebook.name = name
-            notebook.describe = label
+            # notebook.describe = label
+            # TODO: 新增字段用于渲染阶段单独转义
+            from wtforms.widgets.core import escape_html
+            notebook.describe = escape_html(label)      
             notebook.images = images
             notebook.ide_type = 'jupyter'
             notebook.working_dir = ''

From 7e2ed17ff233856533624ef98e00e1edf712743b Mon Sep 17 00:00:00 2001
From: Boris Polonsky <BorisPolonsky@users.noreply.github.com>
Date: Fri, 5 Sep 2025 19:48:11 +0800
Subject: [PATCH 4/5] Fix XSS in `model_nni.py`

---
 myapp/models/model_nni.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/myapp/models/model_nni.py b/myapp/models/model_nni.py
index 18d8974b..ccdeadc2 100644
--- a/myapp/models/model_nni.py
+++ b/myapp/models/model_nni.py
@@ -87,12 +87,14 @@ def run(self):
 
     @property
     def describe_url(self):
+        from wtforms.widgets.core import escape_html
+        safe_describe = escape_html(self.describe)
         expand = json.loads(self.expand) if self.expand else {}
         status = expand.get('status','')
         if status=='online':
-            return Markup(f'<a target=_blank href="/nni_modelview/api/web/{self.id}">{self.describe}</a>')
+            return Markup(f'<a target=_blank href="/nni_modelview/api/web/{self.id}">{safe_describe}</a>')
         else:
-            return self.describe
+            return safe_describe
 
 
     # @property

From 810af8c7d2ea06b32b5561c109e57d5b0a1c47b0 Mon Sep 17 00:00:00 2001
From: Boris Polonsky <BorisPolonsky@users.noreply.github.com>
Date: Fri, 5 Sep 2025 19:51:26 +0800
Subject: [PATCH 5/5] Remove trailing whitespaces

---
 myapp/views/view_notebook.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/myapp/views/view_notebook.py b/myapp/views/view_notebook.py
index 5a29026d..585f06ec 100644
--- a/myapp/views/view_notebook.py
+++ b/myapp/views/view_notebook.py
@@ -311,7 +311,7 @@ def template_str(src_str):
             # notebook.describe = label
             # TODO: 新增字段用于渲染阶段单独转义
             from wtforms.widgets.core import escape_html
-            notebook.describe = escape_html(label)      
+            notebook.describe = escape_html(label)
             notebook.images = images
             notebook.ide_type = 'jupyter'
             notebook.working_dir = ''