fix css overflow issue - reports#14666
fix css overflow issue - reports#14666paulOsinski wants to merge 2 commits intoDefectDojo:bugfixfrom
Conversation
|
This pull request modifies multiple PDF/report templates (several dojo/templates/dojo/*.html files), triggering configured-codepaths alerts for sensitive edits and introducing numerous uses of a custom markdown_render filter to render user-controllable fields directly into HTML; if markdown_render emits unsanitized or marked-safe HTML this change can enable cross-site scripting (XSS) in generated HTML/PDF outputs. Review the markdown_render implementation or add proper sanitization/escaping and ensure allowed authors are configured for sensitive paths.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_endpoint_pdf_report.html (drs_c2492f16)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_pdf_report.html (drs_b28c6b92)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/report_base.html (drs_552c2afa)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/product_type_pdf_report.html (drs_3e6a03bc)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/test_pdf_report.html (drs_ef1f66b1)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/endpoint_pdf_report.html (drs_1dd5ffcb)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/engagement_pdf_report.html (drs_c034bf91)
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/finding_pdf_report.html (drs_0cbf1c3a)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates call a custom filter 'markdown_render' to render fields (e.g., finding.description). If that filter returns raw HTML without proper sanitization or escaping, user-controlled content can reach the HTML sink unescaped and lead to XSS. |
django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html
Lines 185 to 188 in 21aab02
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/test_pdf_report.html (drs_7cfe8c47)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Custom template filter markdown_render is applied to several finding fields before inserting into the HTML template. If that filter emits raw HTML without sanitization (common for markdown renderers), user-controlled data can reach the rendering sink unsanitized, causing XSS in the generated HTML/PDF output. |
django-DefectDojo/dojo/templates/dojo/test_pdf_report.html
Lines 332 to 335 in 21aab02
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/finding_pdf_report.html (drs_dd34b381)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates render several finding fields using a custom template filter 'markdown_render'. If that filter converts markdown to HTML and marks the result safe without proper sanitization, user-controlled content can reach the HTML sink as raw HTML, leading to XSS. The patch adds many instances of "{{ ... markdown_render }}" inside divs which are HTML rendering sinks. |
django-DefectDojo/dojo/templates/dojo/finding_pdf_report.html
Lines 164 to 167 in 21aab02
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/product_endpoint_pdf_report.html (drs_cb182a2f)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were changed to render several finding fields using a custom filter markdown_render, which likely returns HTML. If that filter emits raw HTML without proper sanitization it bypasses Django's auto-escaping and can lead to XSS when rendering user-controllable finding fields. |
django-DefectDojo/dojo/templates/dojo/product_endpoint_pdf_report.html
Lines 227 to 241 in 21aab02
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/engagement_pdf_report.html (drs_01a24121)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were modified to render several finding fields using a custom filter markdown_render (e.g. {{ finding.descriptionmarkdown_render }}). If markdown_render returns raw HTML without proper sanitization and marks it safe, user-controlled content could reach the rendered output as HTML, enabling XSS. Markdown-to-HTML renderers are a common XSS source unless they sanitize output (e.g., via Bleach/DOMPurify) or rely on a safe renderer. |
django-DefectDojo/dojo/templates/dojo/engagement_pdf_report.html
Lines 320 to 323 in 21aab02
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/engagement_pdf_report.html (drs_07e095d3)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates apply a custom filter 'markdown_render' to several user-supplied finding fields. If that filter outputs raw HTML or marks strings safe without sanitization it could bypass Django auto-escaping and introduce XSS. Verification requires inspecting the markdown_render implementation to confirm proper sanitization; the patch itself only shows template usage and CSS additions. |
django-DefectDojo/dojo/templates/dojo/engagement_pdf_report.html
Lines 339 to 342 in 21aab02
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/product_pdf_report.html (drs_e08a3ae1)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates call a custom filter 'markdown_render' and render its output directly into HTML (e.g., {{ finding.descriptionmarkdown_render }}). If that filter emits raw HTML or bypasses Django auto-escaping, user-controlled content can reach the rendering sink unsanitized, enabling XSS. |
django-DefectDojo/dojo/templates/dojo/product_pdf_report.html
Lines 308 to 329 in 21aab02
🔴 Potential Cross-Site Scripting in dojo/templates/dojo/test_pdf_report.html (drs_fed525fe)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The templates were changed to render several finding fields using a custom filter markdown_render, which may produce HTML. If that filter returns raw HTML without sanitization, user-controlled finding fields could lead to XSS when inserted into the template. The patch shows multiple occurrences where fields are passed through markdown_render and placed directly into the DOM. |
django-DefectDojo/dojo/templates/dojo/test_pdf_report.html
Lines 351 to 354 in 21aab02
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/endpoint_pdf_report.html (drs_ee4b7708)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates pass finding fields through a custom template filter 'markdown_render' which could render HTML. If that filter returns unsanitized HTML, user-controlled content can reach the rendered output and cause XSS. |
django-DefectDojo/dojo/templates/dojo/endpoint_pdf_report.html
Lines 206 to 209 in 21aab02
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/product_type_pdf_report.html (drs_d09a6783)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | Templates were changed to render multiple finding fields through a custom filter 'markdown_render' inside without evidence in this patch that the filter escapes or sanitizes HTML. If markdown_render returns raw HTML, user-controlled text could reach the HTML rendering sink unsafely, causing XSS. |
django-DefectDojo/dojo/templates/dojo/product_type_pdf_report.html
Lines 240 to 243 in 21aab02
🟠 Potential Cross-Site Scripting in dojo/templates/dojo/product_type_pdf_report.html (drs_d7cface4)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The templates apply a custom filter markdown_render to multiple user-visible fields. If markdown_render returns HTML marked safe without sanitization, user input could reach the rendered HTML unescaped and cause XSS. I inspected the patch and searched the repository for templatetag implementations to find markdown_render but couldn't locate its definition in the checked files, so I cannot confirm a safe implementation is present. |
django-DefectDojo/dojo/templates/dojo/product_type_pdf_report.html
Lines 219 to 222 in 21aab02
We've notified @mtesauro.
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
1 participant
Summary
PDF reports have a text wrapping bug where multi-line finding fields (description, mitigation, impact, steps to reproduce, etc.) overflow past page margins and get cut off when printed to PDF. This is especially common with findings imported from tools like BugCrowd CSV, which embed
<pre>tags in the field data.Root cause (two issues):
Missing overflow-wrap: The pre CSS in
report_base.htmlhad word-break: normal but no overflow-wrap: break-word, so long unbroken strings (URLs, tokens, encoded data) would not wrap at the container boundary.Nested
<pre>tags: All 7 PDF report templates wrapped markdown_render output in<pre>tags. When imported finding data already contained<pre>tags (e.g.<pre data-language="plain">), this produced nested<pre><pre>...</pre></pre>elements. The inner<pre>could pick up default browser styles (overflow: auto, scrollbars) that override the report CSS, causing content to clip or scroll instead of wrapping.Fix:
<pre>wrappers around all markdown_render calls with<div class="report-field">across all 7 PDF report templates — eliminates the nesting problem<pre>tags<pre class="raw_request">tags untouched — those correctly wrap raw request/response data that isn't markdown-rendered