Merge remote-tracking branch 'inventree/master'

InvenTree/InvenTree/settings.py

@@ -391,9 +391,16 @@ REST_FRAMEWORK = {
         'InvenTree.permissions.RolePermission',
     ),
     'DEFAULT_SCHEMA_CLASS': 'rest_framework.schemas.coreapi.AutoSchema',
-    'DEFAULT_METADATA_CLASS': 'InvenTree.metadata.InvenTreeMetadata'
+    'DEFAULT_METADATA_CLASS': 'InvenTree.metadata.InvenTreeMetadata',
+    'DEFAULT_RENDERER_CLASSES': [
+        'rest_framework.renderers.JSONRenderer',
+    ]
 }
 
+if DEBUG:
+    # Enable browsable API if in DEBUG mode
+    REST_FRAMEWORK['DEFAULT_RENDERER_CLASSES'].append('rest_framework.renderers.BrowsableAPIRenderer')
+
 WSGI_APPLICATION = 'InvenTree.wsgi.application'
 
 """

InvenTree/part/test_api.py

@@ -148,6 +148,37 @@ class PartCategoryAPITest(InvenTreeAPITestCase):
         # There should not be any templates left at this point
         self.assertEqual(PartCategoryParameterTemplate.objects.count(), 0)
 
+    def test_bleach(self):
+        """Test that the data cleaning functionality is working"""
+
+        url = reverse('api-part-category-detail', kwargs={'pk': 1})
+
+        self.patch(
+            url,
+            {
+                'description': '<img src=# onerror=alert("pwned")>',
+            },
+            expected_code=200
+        )
+
+        cat = PartCategory.objects.get(pk=1)
+
+        # Image tags have been stripped
+        self.assertEqual(cat.description, '&lt;img src=# onerror=alert("pwned")&gt;')
+
+        self.patch(
+            url,
+            {
+                'description': '<a href="www.google.com">LINK</a><script>alert("h4x0r")</script>',
+            },
+            expected_code=200,
+        )
+
+        # Tags must have been bleached out
+        cat.refresh_from_db()
+
+        self.assertEqual(cat.description, '<a href="www.google.com">LINK</a>&lt;script&gt;alert("h4x0r")&lt;/script&gt;')
+
 
 class PartOptionsAPITest(InvenTreeAPITestCase):
     """Tests for the various OPTIONS endpoints in the /part/ API.

InvenTree/templates/InvenTree/settings/user.html

@@ -154,7 +154,9 @@
         </form>
 
         {% else %}
-        <p>{% trans 'You currently have no social network accounts connected to this account.' %}</p>
+        <div class='alert alert-block alert-warning'>
+            {% trans 'There are no social network accounts connected to this account.' %}
+        </div>
         {% endif %}
     </div>
 
@@ -198,9 +200,9 @@
     </table>
 
     {% else %}
-    <p><strong>{% trans 'Warning:'%}</strong>
-        {% trans "You currently do not have any factors set up." %}
-    </p>
+    <div class='alert alert-block alert-warning'>
+        {% trans "Multifactor authentication is not configured for your account" %}
+    </div>
 
     {% endif %}
     </div>
@@ -224,7 +226,7 @@
                 <form method="post" action="{% url 'session_delete_other' %}">
                     {% csrf_token %}
                     <button type="submit" class="btn btn-sm btn-default btn-danger" title='{% trans "Log out active sessions (except this one)" %}'>
-                        {% trans "Log Out Active Sessions" %}
+                        <span class='fas fa-sign-out-alt'></span> {% trans "Log Out Active Sessions" %}
                     </button>
                 </form>
                 {% endif %}

InvenTree/templates/InvenTree/settings/user_display.html

@@ -34,7 +34,7 @@
             {% csrf_token %}
             <input name='next' type='hidden' value='{% url "settings" %}'>
             <label for='theme' class=' requiredField'>
-                {% trans "Select theme" %}
+                <h6>{% trans "Select theme" %}</h6>
             </label>
             <div class='form-group input-group mb-3'>
                 <select id='theme' name='theme' class='select form-control'>
@@ -62,7 +62,7 @@
             {% csrf_token %}
             <input name="next" type="hidden" value="{% url 'settings' %}">
             <label for='language' class=' requiredField'>
-                {% trans "Select language" %}
+                <h6>{% trans "Select language" %}</h6>
             </label>
             <div class='form-group input-group mb-3'>
                 <select name="language" class="select form-control w-25">
@@ -100,8 +100,11 @@
     </form>
     </div>
     <div class="col-sm-6">
-        <h4>{% trans "Help the translation efforts!" %}</h4>
-        <p>{% blocktrans with link="https://crowdin.com/project/inventree" %}Native language translation of the web application is <a href="{{link}}">community contributed via crowdin</a>. Contributions are welcomed and encouraged.{% endblocktrans %}</p>
+        <div class='alert alert-block alert-success'>
+            <h5>{% trans "Help the translation efforts!" %}</h5>
+            <p>{% trans "Native language translation of the web application is community contributed via crowdin. Contributions are welcomed and encouraged." %}</p>
+            <p><a href="https://crowdin.com/project/inventree">{% trans "InvenTree Translation Project" %}</a></p>
+        </div>
     </div>
 </div>