mirror of
https://github.com/makeplane/plane.git
synced 2026-07-10 04:25:24 +02:00
GHSA-6qrq-f73q-r67j / GHSA-j9pv-f5wm-p4g2 — IssueCommentSerializer in both app and api layers stored comment_html without sanitization. The app layer had no validate() at all; the api layer only ran lxml structural normalization which does not strip XSS payloads. Fix: both serializers now call validate_html_content() (nh3-backed) in their validate() methods, replacing the raw value with sanitized HTML. GHSA-hh2r-3hwp-mvq3 — space/views/intake.py and api/views/intake.py both used bare Issue.objects.create() with description_html taken directly from request data, bypassing any serializer validation. Fix: both paths now call validate_html_content() and pass the sanitized value to Issue.objects.create(). Falls back to "<p></p>" if sanitizer returns None (empty/invalid input). The nh3 sanitizer (validate_html_content in content_validator.py) was already present and used by IssueCreateSerializer — this change extends coverage to the two remaining unsanitized comment and intake paths. Co-authored-by: Plane AI <noreply@plane.so>