From 14abe07a4a8be90bbe763542a6e02fbb2aaf20d2 Mon Sep 17 00:00:00 2001
From: Ben Sturmfels <ben@sturm.com.au>
Date: Fri, 17 Dec 2021 21:55:47 +1100
Subject: [PATCH] Remove unnecessary use of "safe" template tag.

This tag marks a variable as not requiring escaping by the template engine,
potentially creating cross-site scripting vulnerabilities, so shouldn't be used
unless absolutely necessary. In these cases, I don't think it's necessary.
---
 www/conservancy/templates/blog/entry_detail.html         | 2 +-
 www/conservancy/templates/blog/entry_partial.html        | 2 +-
 www/conservancy/templates/feeds/blog_title.html          | 2 +-
 www/conservancy/templates/feeds/news_description.html    | 2 +-
 www/conservancy/templates/feeds/news_title.html          | 2 +-
 www/conservancy/templates/frontpage.html                 | 2 +-
 www/conservancy/templates/news/pressrelease_detail.html  | 2 +-
 www/conservancy/templates/news/pressrelease_partial.html | 4 ++--
 www/conservancy/templates/opengraph_partial.html         | 4 ++--
 www/conservancy/templates/sponsors.html                  | 6 +++---
 10 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/www/conservancy/templates/blog/entry_detail.html b/www/conservancy/templates/blog/entry_detail.html
index 87488a68..70bd722b 100644
--- a/www/conservancy/templates/blog/entry_detail.html
+++ b/www/conservancy/templates/blog/entry_detail.html
@@ -6,7 +6,7 @@
 {% include "opengraph_urllist_partial.html" with property='video' urls=object.get_one_video_url %}
 {% endblock %}
 
-{% block subtitle %}{{ object.headline|striptags|safe }} - Conservancy Blog - {% endblock %}
+{% block subtitle %}{{ object.headline|striptags }} - Conservancy Blog - {% endblock %}
 
 {% block content %}
 <div class="breadcrumbs">
diff --git a/www/conservancy/templates/blog/entry_partial.html b/www/conservancy/templates/blog/entry_partial.html
index 571d69f2..9ec8266f 100644
--- a/www/conservancy/templates/blog/entry_partial.html
+++ b/www/conservancy/templates/blog/entry_partial.html
@@ -18,7 +18,7 @@ This partial accepts these optional parameters:
 
 <{{ htag|default:"h3" }} class="clear"
   >{% if show|default:"body" != "body" %}<a href="{{ entry.get_absolute_url }}"
-  >{% endif %}{{ entry.headline|safe }}{% if show|default:"body" != "body" %}</a>{% endif %}</{{ htag|default:"h3" }}>
+  >{% endif %}{{ entry.headline }}{% if show|default:"body" != "body" %}</a>{% endif %}</{{ htag|default:"h3" }}>
 
 {% if show != "headline" %}
 <p class="date">by <span class="author">{{ entry.author.formal_name }}</span>
diff --git a/www/conservancy/templates/feeds/blog_title.html b/www/conservancy/templates/feeds/blog_title.html
index 41fedac7..d05ff107 100644
--- a/www/conservancy/templates/feeds/blog_title.html
+++ b/www/conservancy/templates/feeds/blog_title.html
@@ -1 +1 @@
-{{ obj.headline|striptags|safe }}
+{{ obj.headline|striptags }}
diff --git a/www/conservancy/templates/feeds/news_description.html b/www/conservancy/templates/feeds/news_description.html
index 34c9a619..69751ba9 100644
--- a/www/conservancy/templates/feeds/news_description.html
+++ b/www/conservancy/templates/feeds/news_description.html
@@ -1,3 +1,3 @@
-{% if obj.subhead %}<p><strong>{{ obj.subhead|safe }}</strong></p>{% endif %}
+{% if obj.subhead %}<p><strong>{{ obj.subhead }}</strong></p>{% endif %}
 {{ obj.summary|safe }}
 {{ obj.body|safe }}
diff --git a/www/conservancy/templates/feeds/news_title.html b/www/conservancy/templates/feeds/news_title.html
index 41fedac7..d05ff107 100644
--- a/www/conservancy/templates/feeds/news_title.html
+++ b/www/conservancy/templates/feeds/news_title.html
@@ -1 +1 @@
-{{ obj.headline|striptags|safe }}
+{{ obj.headline|striptags }}
diff --git a/www/conservancy/templates/frontpage.html b/www/conservancy/templates/frontpage.html
index 7c2ce89d..f83ced33 100644
--- a/www/conservancy/templates/frontpage.html
+++ b/www/conservancy/templates/frontpage.html
@@ -104,7 +104,7 @@ strategies that defend FOSS (such as copyleft). <a href="/about" class="orange">
 <!-- <h2>Support Conservancy</h2>
      <p>As a 501(c)(3) non-profit charity, Conservancy relies on
      charitable donations for its operations.
-     Please join {{supporters_count|safe}} others and <a href="/sustainer/"><strong>become a Conservancy Sustainer
+     Please join {{ supporters_count }} others and <a href="/sustainer/"><strong>become a Conservancy Sustainer
      today</strong></a> and/or <a href="/donate/">donate generously</a> to help our work!
      </p>
 
diff --git a/www/conservancy/templates/news/pressrelease_detail.html b/www/conservancy/templates/news/pressrelease_detail.html
index 90ac7fcf..8cabc8ad 100644
--- a/www/conservancy/templates/news/pressrelease_detail.html
+++ b/www/conservancy/templates/news/pressrelease_detail.html
@@ -6,7 +6,7 @@
 {% include "opengraph_urllist_partial.html" with property='video' urls=object.get_one_video_url %}
 {% endblock %}
 
-{% block subtitle %}{{ object.headline|striptags|safe }} - {% endblock %}
+{% block subtitle %}{{ object.headline|striptags }} - {% endblock %}
 
 {% block content %}
 
diff --git a/www/conservancy/templates/news/pressrelease_partial.html b/www/conservancy/templates/news/pressrelease_partial.html
index dc0fb687..2751cb4f 100644
--- a/www/conservancy/templates/news/pressrelease_partial.html
+++ b/www/conservancy/templates/news/pressrelease_partial.html
@@ -19,13 +19,13 @@ This partial accepts these optional parameters:
 
 <{{ htag|default:"h3" }} class="clear"
   >{% if show|default:"body" != "body" %}<a href="{{ pressr.get_absolute_url }}"
-  >{% endif %}{{ pressr.headline|safe }}{% if show|default:"body" != "body" %}</a>{% endif %}</{{ htag|default:"h3" }}>
+  >{% endif %}{{ pressr.headline }}{% if show|default:"body" != "body" %}</a>{% endif %}</{{ htag|default:"h3" }}>
 
 {% if show != "headline" %}
 {% if show != "dateline" and pressr.subhead %}
   {# This filter sequence generates the "next" hN tag from htag #}
   <h{{ htag|default:"3"|last|get_digit:1|add:1 }}
-     >{{ pressr.subhead|safe }}</h{{ htag|default:"3"|last|get_digit:1|add:1 }}>
+     >{{ pressr.subhead }}</h{{ htag|default:"3"|last|get_digit:1|add:1 }}>
 {% endif %}
 
 <p class="date">{{ pressr.pub_date|date:"F j, Y" }}</p>
diff --git a/www/conservancy/templates/opengraph_partial.html b/www/conservancy/templates/opengraph_partial.html
index 631529df..3143ca71 100644
--- a/www/conservancy/templates/opengraph_partial.html
+++ b/www/conservancy/templates/opengraph_partial.html
@@ -36,9 +36,9 @@ normally shouldn't need to:
 {% endif %}
 
 {% if title %}
-<meta property="og:title" content="{{ title|striptags|safe }}">
+<meta property="og:title" content="{{ title|striptags }}">
 {% endif %}
 
 {% if description %}
-<meta property="og:description" content="{{ description|striptags|safe }}">
+<meta property="og:description" content="{{ description|striptags }}">
 {% endif %}
diff --git a/www/conservancy/templates/sponsors.html b/www/conservancy/templates/sponsors.html
index 58f2a3d5..2156eb1e 100644
--- a/www/conservancy/templates/sponsors.html
+++ b/www/conservancy/templates/sponsors.html
@@ -52,16 +52,16 @@ any of its sponsors.</p>
 <br/>
 <h2>Sustainers</h2>
 
-<p>Conservancy currently has {{supporters_count|safe}} Sustainers.
+<p>Conservancy currently has {{ supporters_count }} Sustainers.
   Conservancy Sustainers are individuals (or small companies) who give $120
   or more annually as part of <a href="/sustainer/">the Official Conservancy
   Sustainer program</a>.  Those who request public acknowledgment are listed
   here in order by the date when they first joined the Sustainer program:</p>
 
 <ul id="sustainers">
-<li>Anonymous ({{anonymous_count|safe}} people)</li>
+<li>Anonymous ({{ anonymous_count }} people)</li>
 {% for ss in supporters %}
-<li>{{ ss.display_name|safe }}</li>
+<li>{{ ss.display_name }}</li>
 {% endfor %}
 </ul>