diff options
Diffstat (limited to 'ishtar_common/utils_secretary.py')
| -rw-r--r-- | ishtar_common/utils_secretary.py | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/ishtar_common/utils_secretary.py b/ishtar_common/utils_secretary.py index 0ce4732d4..77a2cbc9b 100644 --- a/ishtar_common/utils_secretary.py +++ b/ishtar_common/utils_secretary.py @@ -2,8 +2,9 @@ # -*- coding: utf-8 -*- import re from secretary import Renderer -from lxml import etree -from xml.dom.minidom import parseString +# source files is from admin user this should be safe +from lxml import etree # nosec +from xml.dom.minidom import parseString # nosec from xml.parsers.expat import ExpatError, ErrorString from PIL import Image @@ -108,10 +109,16 @@ class IshtarSecretaryRenderer(Renderer): result = jinja_template.render(**kwargs) # try to fix xml with mismatched tags - parser = etree.XMLParser(recover=True) - recovered_xml = etree.fromstring(result.encode("ascii", "xmlcharrefreplace"), parser) - - final_xml = parseString(etree.tostring(recovered_xml)) + # source files is from admin user this should be safe + parser = etree.XMLParser(recover=True) # nosec + recovered_xml = etree.fromstring( + result.encode("ascii", "xmlcharrefreplace"), + parser) + + # source files is from admin user this should be safe + final_xml = parseString( # nosec + etree.tostring(recovered_xml) + ) if self.template_images: self.replace_images(final_xml) |