Skip to content

feat: add additional_banners support to base template#14492

Merged
valentijnscholten merged 1 commit intobugfixfrom
banner-additions
Mar 12, 2026
Merged

feat: add additional_banners support to base template#14492
valentijnscholten merged 1 commit intobugfixfrom
banner-additions

Conversation

@Maffooch
Copy link
Copy Markdown
Contributor

@Maffooch Maffooch commented Mar 11, 2026

Summary

  • Add support for rendering additional banners in the base template
  • Banners are rendered via the additional_banners template context variable, after the existing announcement banner
  • Each banner supports message, style, url, and link_text fields
  • No-op when additional_banners is not provided by a context processor

@Maffooch Maffooch requested a review from mtesauro as a code owner March 11, 2026 17:20
@github-actions github-actions bot added the ui label Mar 11, 2026
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity bot commented Mar 11, 2026

DryRun Security

🟡 Please give this pull request extra attention during review.

This pull request introduces a template change that renders banner.message, banner.url, and banner.link_text directly into HTML without escaping or sanitization, creating a potential stored cross-site scripting (XSS) vector if those values can contain attacker-controlled content. The risky output occurs in dojo/templates/base.html (lines ~670–673) where these banner fields are used raw while similar announcement content is properly filtered.

🟡 Potential Cross-Site Scripting in dojo/templates/base.html (drs_d648caad)
Vulnerability Potential Cross-Site Scripting
Description The template renders banner.message, banner.url, and banner.link_text directly into HTML without any escaping/filtering. Unlike announcement.message which uses the bleach_with_a_tags filter, these banner fields are output raw ({{ banner.message }}, {{ banner.url }}, {{ banner.link_text }}). If any of those values contain attacker-controlled HTML or JavaScript (for example stored in database from an admin UI or user-submitted content), they will be injected into the page and can execute in the browser. No sanitization or safe-escaping is present in the patch or nearby template code for additional_banners.

django-DefectDojo/dojo/templates/base.html

Lines 670 to 673 in 49c6bea

{{ banner.message }} <a href="{{ banner.url }}">{{ banner.link_text }}</a>
</div>
{% endfor %}
<div class="container-fluid">

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Mar 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten added this to the 2.56.2 milestone Mar 12, 2026
@valentijnscholten valentijnscholten merged commit a2aad99 into bugfix Mar 12, 2026
284 of 285 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@dogboat dogboat dogboat approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

ui

Projects

None yet

Milestone

2.56.2

Development

Successfully merging this pull request may close these issues.

5 participants

@Maffooch @mtesauro @valentijnscholten @dogboat @blakeaowens