Files @ e965ff6f8cb3
Branch filter:

Location: kallithea/kallithea/templates/password_reset_confirmation.html

e965ff6f8cb3 2.1 KiB text/html Show Annotation Show as Raw Download as Raw
mads
setup: avoid bleach 3.1.4 for now - it seems to deliberately cause regressions

See https://github.com/mozilla/bleach/blob/master/CHANGES and
https://github.com/mozilla/bleach/commit/d6018f2539d271963c3e7f54f36ef11900363c69
... which adds xfails for use cases similar to how we use bleach.

It would completely remove style attributes instead of dropping bad parts of
them, as shown by the markup_renderer.py doctest it made fail:

>>> MarkupRenderer.render('''<img id="a" style="margin-top:-1000px;color:red" src="http://example.com/test.jpg">''&apos;, '.md')
Expected:
'<p><img id="a" src="http://example.com/test.jpg"; style="color: red;"></p>'
Got:
'<p><img id="a" src="http://example.com/test.jpg"; style=""></p>'

Until a better solution is found, stick to 3.1.3 and accept the potential
ReDoS.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
## -*- coding: utf-8 -*-
<%inherit file="base/root.html"/>

<%block name="title">
    ${_('Reset Your Password')}
</%block>

<%include file="/base/flash_msg.html"/>

<div class="container">
<div class="row">
<div class="centered-column">
<div id="register" class="panel panel-primary">
    <div class="panel-heading">
        %if c.site_name:
            <h5>${_('Reset Your Password to %s') % c.site_name}</h5>
        %else:
            <h5>${_('Reset Your Password')}</h5>
        %endif
    </div>
    <div class="panel-body">
        ${h.form(h.url('reset_password_confirmation'), method='post')}
        <p>${_('You are about to set a new password for the email address %s.') % c.email}</p>
        <p>${_('Note that you must use the same browser session for this as the one used to request the password reset.')}</p>
        ${h.hidden('email', value=c.email)}
        ${h.hidden('timestamp', value=c.timestamp)}
        <div class="form">
                <div class="form-group">
                    <label class="control-label" for="token">${_('Code you received in the email')}:</label>
                    <div>
                        ${h.text('token', value=c.token, class_='form-control')}
                    </div>
                </div>

                <div class="form-group">
                    <label class="control-label" for="password">${_('New Password')}:</label>
                    <div>
                        ${h.password('password',class_='form-control')}
                    </div>
                </div>

                <div class="form-group">
                    <label class="control-label" for="password_confirm">${_('Confirm New Password')}:</label>
                    <div>
                        ${h.password('password_confirm',class_='form-control')}
                    </div>
                </div>

                <div class="form-group">
                    <div class="buttons">
                        ${h.submit('send',_('Confirm'),class_="btn btn-default")}
                    </div>
                </div>
        </div>
        ${h.end_form()}
    </div>
   </div>
</div>
</div>
</div>
Server instance: clio-1863 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support