fix the way bulk update endpoints in finding view works in v3#14411
fix the way bulk update endpoints in finding view works in v3#14411dogboat wants to merge 1 commit intoDefectDojo:bugfixfrom
Conversation
| <div class="panel panel-default table-responsive"> | ||
| <div class="panel-heading"> | ||
| <h4>Vulnerable Endpoints / Systems ({{ finding.active_endpoint_count }}) </h4> | ||
| <h4>Vulnerable Endpoints / Systems ({{ finding.active_endpoint_count }}) |
There was a problem hiding this comment.
Unrelated to the actual fix at hand but I noticed the extra hd close tag here was causing the chevron to render oddly.
| <input type="hidden" name="return_url" value="{{ request.get_full_path }}" /> | ||
| </form> | ||
|
|
||
| <div class="hidden" style="padding-bottom: 5px;" id="bulk_edit_menu"> |
There was a problem hiding this comment.
This whole chunk was really just moved below so the bulk edit button appears closer to the endpoints lists.
🟡 Please give this pull request extra attention during review.This pull request includes a risky use of Django's
🟡 Potential Cross-Site Scripting in
|
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The template uses the safe filter on endpoint.auditor, which disables Django's automatic escaping for that value and can allow untrusted input to inject HTML/JS, leading to XSS if the content is not sanitized. |
django-DefectDojo/dojo/templates/dojo/snippets/endpoints.html
Lines 259 to 261 in 8034a76
All finding details can be found in the DryRun Security Dashboard.
2 participants
This PR updates the 'bulk update endpoints' functionality in the Finding view to work when V3/Locations are enabled. When using V3, the bulk edit options change to being radio buttons instead of checksbox since only one status can be set at a time in the new model.