Quotes (#12226)

Author: kiblik

dojo/templates/notifications/webhooks/subtemplates/base.tpl

@@ -1,14 +1,15 @@
 {% load display_tags %}
+{% load as_json %}
 ---
-description: "{{ description | default_if_none:'' }}"
-title: "{{ title | default_if_none:'' }}"
-user: {{ user | default_if_none:'' }}
+description: {{ description | as_json_no_html_esc }}
+title: {{ title | as_json_no_html_esc }}
+user: {{ user | as_json_no_html_esc }}
 {% if url %}
-url_ui:  {{ url|full_url }}
+url_ui:  {{ url | full_url | as_json_no_html_esc }}
 {% endif %}
 {% if url_api %}
-url_api:  {{ url_api|full_url }}
+url_api:  {{ url_api | full_url | as_json_no_html_esc }}
 {% endif %}
 {% if system_settings.disclaimer_notifications and system_settings.disclaimer_notifications.strip %}
-disclaimer:  {{ system_settings.disclaimer_notifications }}
+disclaimer:  {{ system_settings.disclaimer_notifications | as_json_no_html_esc }}
 {% endif %}

dojo/templates/notifications/webhooks/subtemplates/engagement.tpl

@@ -1,4 +1,5 @@
 {% load display_tags %}
+{% load as_json %}
 {% if product %}
 {% include 'notifications/webhooks/subtemplates/product.tpl' with product=product %}
 {% else %}
@@ -7,7 +8,7 @@
 {% url 'view_engagement' engagement.id as engagement_url_ui %}
 {% url 'engagement-detail' engagement.id as engagement_url_api %}
 engagement:
-    name: {{ engagement.name | default_if_none:'' }}
+    name: {{ engagement.name | as_json_no_html_esc }}
     id: {{ engagement.pk }}
-    url_ui: {{ engagement_url_ui|full_url }}
-    url_api: {{ engagement_url_api|full_url }}
+    url_ui: {{ engagement_url_ui | full_url | as_json_no_html_esc }}
+    url_api: {{ engagement_url_api | full_url | as_json_no_html_esc }}

dojo/templates/notifications/webhooks/subtemplates/findings_list.tpl

@@ -1,12 +1,13 @@
 {% load display_tags %}
+{% load as_json %}
 {% for finding in findings %}
 {% url 'view_finding' finding.id as finding_url_ui %}
 {% url 'finding-detail' finding.id as finding_url_api %}
     - id: {{ finding.pk }}
-      title: {{ finding.title | default_if_none:'' }}
-      severity: {{ finding.severity | default_if_none:'' }}
-      url_ui: {{ finding_url_ui|full_url }}
-      url_api: {{ finding_url_api|full_url }}
+      title: {{ finding.title | as_json_no_html_esc }}
+      severity: {{ finding.severity | as_json_no_html_esc }}
+      url_ui: {{ finding_url_ui | full_url | as_json_no_html_esc }}
+      url_api: {{ finding_url_api | full_url | as_json_no_html_esc }}
 {% empty %}
     []
 {% endfor %}

dojo/templates/notifications/webhooks/subtemplates/product.tpl

@@ -1,4 +1,5 @@
 {% load display_tags %}
+{% load as_json %}
 {% if product_type %}
 {% include 'notifications/webhooks/subtemplates/product_type.tpl' with product_type=product_type %}
 {% else %}
@@ -7,7 +8,7 @@
 {% url 'view_product' product.id as product_url_ui %}
 {% url 'product-detail' product.id as product_url_api %}
 product:
-    name: {{ product.name | default_if_none:'' }}
+    name: {{ product.name | as_json_no_html_esc }}
     id: {{ product.pk }}
-    url_ui: {{ product_url_ui|full_url }}
-    url_api: {{ product_url_api|full_url }}
+    url_ui: {{ product_url_ui | full_url | as_json_no_html_esc }}
+    url_api: {{ product_url_api | full_url | as_json_no_html_esc }}

dojo/templates/notifications/webhooks/subtemplates/product_type.tpl

@@ -1,8 +1,9 @@
 {% load display_tags %}
+{% load as_json %}
 {% url 'view_product_type' product_type.id as product_type_url_ui %}
 {% url 'product_type-detail' product_type.id as product_type_url_api %}
 product_type:
-    name: {{ product_type.name | default_if_none:'' }}
+    name: {{ product_type.name | as_json_no_html_esc }}
     id: {{ product_type.pk }}
-    url_ui: {{ product_type_url_ui|full_url }}
-    url_api: {{ product_type_url_api|full_url }}
+    url_ui: {{ product_type_url_ui | full_url | as_json_no_html_esc }}
+    url_api: {{ product_type_url_api | full_url | as_json_no_html_esc }}

dojo/templates/notifications/webhooks/subtemplates/test.tpl

@@ -1,4 +1,5 @@
 {% load display_tags %}
+{% load as_json %}
 {% if engagement %}
 {% include 'notifications/webhooks/subtemplates/engagement.tpl' with engagement=engagement %}
 {% else %}
@@ -7,7 +8,7 @@
 {% url 'view_test' test.id as test_url_ui %}
 {% url 'test-detail' test.id as test_url_api %}
 test:
-    title: {{ test.title | default_if_none:'' }}
+    title: {{ test.title |  as_json_no_html_esc }}
     id: {{ test.pk }}
-    url_ui: {{ test_url_ui|full_url }}
-    url_api: {{ test_url_api|full_url }}
+    url_ui: {{ test_url_ui | full_url | as_json_no_html_esc }}
+    url_api: {{ test_url_api | full_url | as_json_no_html_esc }}

dojo/templatetags/as_json.py

@@ -1,10 +1,16 @@
 import json
 
 from django import template
+from django.utils.safestring import mark_safe
 
 register = template.Library()
 
 
 @register.filter
 def as_json(value):
     return json.dumps(value)
+
+
+@register.filter(is_safe=True)
+def as_json_no_html_esc(value):
+    return mark_safe(json.dumps(value))

unittests/test_notifications.py

@@ -756,7 +756,7 @@ def test_events_messages(self, mock):
             self.maxDiff = None
             self.assertEqual(mock.call_args.kwargs["json"], {
                 "description": "Event engagement_added has occurred.",
-                "title": "Engagement created for "notif prod": notif eng",
+                "title": 'Engagement created for "notif prod": notif eng',
                 "user": None,
                 "url_api": f"http://localhost:8080/api/v2/engagements/{eng.pk}/",
                 "url_ui": f"http://localhost:8080/engagement/{eng.pk}",
@@ -923,3 +923,56 @@ def test_events_messages(self, mock):
                     "url_ui": "http://localhost:8080/finding/235",
                 }],
             })
+
+        with self.subTest("scan_added problematic titles"):
+            BaseImporter(
+                environment=Development_Environment.objects.get_or_create(name="Development")[0],
+                scan_type="ZAP Scan",
+            ).notify_scan_added(
+                test,
+                updated_count=4,
+                new_findings=[
+                    Finding.objects.create(test=test, title="Colon: New Finding", severity="Critical"),
+                ],
+                findings_mitigated=[
+                    Finding.objects.create(test=test, title="[Brackets] Mitigated Finding", severity="Medium"),
+                ],
+                findings_reactivated=[
+                    Finding.objects.create(test=test, title='"Quotation1" Reactivated Finding', severity="Low"),
+                ],
+                findings_untouched=[
+                    Finding.objects.create(test=test, title="'Quotation2' Untouched Finding", severity="Info"),
+                ],
+            )
+            self.assertEqual(mock.call_args.kwargs["headers"]["X-DefectDojo-Event"], "scan_added")
+            self.maxDiff = None
+            self.assertEqual(mock.call_args.kwargs["json"]["findings"], {
+                "new": [{
+                    "id": 236,
+                    "title": "Colon: New Finding",
+                    "severity": "Critical",
+                    "url_api": "http://localhost:8080/api/v2/findings/236/",
+                    "url_ui": "http://localhost:8080/finding/236",
+                }],
+                "mitigated": [{
+                    "id": 237,
+                    "title": "[Brackets] Mitigated Finding",
+                    "severity": "Medium",
+                    "url_api": "http://localhost:8080/api/v2/findings/237/",
+                    "url_ui": "http://localhost:8080/finding/237",
+                }],
+                "reactivated": [{
+                    "id": 238,
+                    "title": '"Quotation1" Reactivated Finding',
+                    "severity": "Low",
+                    "url_api": "http://localhost:8080/api/v2/findings/238/",
+                    "url_ui": "http://localhost:8080/finding/238",
+                }],
+                "untouched": [{
+                    "id": 239,
+                    "title": "'Quotation2' Untouched Finding",
+                    "severity": "Info",
+                    "url_api": "http://localhost:8080/api/v2/findings/239/",
+                    "url_ui": "http://localhost:8080/finding/239",
+                }],
+            })