Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Event Calendar as Endpoint, rather than HTML Injection #508

Open
ochan1 opened this issue Oct 19, 2022 · 0 comments
Open

Event Calendar as Endpoint, rather than HTML Injection #508

ochan1 opened this issue Oct 19, 2022 · 0 comments

Comments

@ochan1
Copy link
Contributor

ochan1 commented Oct 19, 2022

Currently, the calendar uses a HTML JSON injected from Django, with the potential to cause HTML to break
https://github.com/compserv/hknweb/blob/master/hknweb/events/templates/events/index.html#L23-L56

Not an issue of security with JavaScript injection as Bleach does take care of that for now

Long term goal: Use a JSON endpoint that the calendar calls rather than an HTML injection (not really potential for attack since no JS, but breaks the calendar HTML)
Sample Code to only allow calls to the URL from another URL: https://github.com/TBP-IT/tbpweb/blob/master/events/views.py#L506

Can open the ability for better Google Calendar integration, RSS Feeds, or people can have a JSON API for their calendar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant