fix: avoid cross-site scripting when rendering html

Author: luis-dk

testgen/ui/services/form_service.py

@@ -507,7 +507,7 @@ def render_html_list(dct_row, lst_columns, str_section_header=None, int_data_wid
         str_markdown += f"""<div><span class="dk-field-label">{label}</span><span class="dk-{str_use_class}-value">{dct_row[col]!s}</span></div>"""
 
     with st.container():
-        st.markdown(str_markdown, unsafe_allow_html=True)
+        st.html(str_markdown)
         st.divider()
 
 

testgen/ui/views/connections/forms.py

@@ -288,15 +288,14 @@ def render_extra(
             elif self._uploaded_file is None and (cached_file_upload := st.session_state.get(cached_file_upload_key)):
                 self._uploaded_file = cached_file_upload
                 file_size = f"{round(self._uploaded_file.size / 1024, 2)}KB"
-                container.markdown(
+                container.html(
                     f"""
                     <div style="display: flex; align-items: center; justify-content: flex-start; padding: 0 16px; margin-bottom: 16px;">
                         <span style="font-family: 'Material Symbols Rounded'; font-weight: normal; white-space: nowrap; overflow-wrap: normal; font-size: 28.8px; color: rgb(151, 166, 195);">draft</span>
                         <span style="margin-left: 16px; margin-right: 8px;">{self._uploaded_file.name}</span>
                         <small style='color: rgba(49, 51, 63, 0.6); font-size: 14px; line-height: 1.25;'>{file_size}</small>
                     </div>
-                    """,
-                    unsafe_allow_html=True,
+                    """
                 )
 
     def reset_cache(self) -> None:

testgen/ui/views/dialogs/application_logs_dialog.py

@@ -65,7 +65,7 @@ def application_logs_dialog():
         show_data = log_data
 
     # Refresh button
-    col3.markdown("<br>", unsafe_allow_html=True)
+    col3.html("<br>")
     if col3.button("Refresh"):
         # Clear cache to refresh the log data
         st.cache_data.clear()

testgen/ui/views/score_details.py

@@ -169,10 +169,7 @@ def delete_score_card(definition_id: str) -> None:
     delete_clicked, set_delelte_clicked = temp_value(
         "score-details:confirm-delete-score-val"
     )
-    st.markdown(
-        f"Are you sure you want to delete the scorecard <b>{score_definition.name}</b>?",
-        unsafe_allow_html=True,
-    )
+    st.html(f"Are you sure you want to delete the scorecard <b>{score_definition.name}</b>?")
 
     _, button_column = st.columns([.85, .15])
     with button_column:

testgen/ui/views/table_groups/page.py

@@ -166,9 +166,17 @@ def delete_table_group_dialog(self, table_group: pd.Series):
         )
 
         if not can_be_deleted:
-            st.markdown(
-                ":orange[This Table Group has related data, which may include profiling, test definitions and test results. If you proceed, all related data will be permanently deleted.<br/>Are you sure you want to proceed?]",
-                unsafe_allow_html=True,
+            st.html(
+                """
+                <div style=\"color: rgb(217, 90, 0);\">
+                    <span>
+                        This Table Group has related data, which may include profiling, test definitions and test results.
+                        If you proceed, all related data will be permanently deleted.
+                    </span>
+                    <br/>
+                    <span>Are you sure you want to proceed?</span>
+                </div>
+                """
             )
             accept_cascade_delete = st.toggle("I accept deletion of this Table Group and all related TestGen data.")
 

testgen/ui/views/test_definitions.py

@@ -343,13 +343,12 @@ def show_test_form(
 
     # Using the test_type, display the default description and usage_notes
     if selected_test_type_row["test_description"]:
-        st.markdown(
+        st.html(
             f"""
                 <div style="border: 1px solid #e6e6e6; border-radius: 5px; padding: 10px;">
                     {selected_test_type_row['test_description']}
                 </div><br/>
-                """,
-            unsafe_allow_html=True,
+            """
         )
 
     if selected_test_type_row["usage_notes"]:
@@ -854,7 +853,7 @@ def show_test_defs_grid(
         )
 
     if dct_selected_row:
-        st.markdown("</p>&nbsp;</br>", unsafe_allow_html=True)
+        st.html("</p>&nbsp;</br>")
         selected_row = dct_selected_row[0]
         str_test_id = selected_row["id"]
         row_selected = df[df["id"] == str_test_id].iloc[0]

testgen/ui/views/test_suites.py

@@ -258,9 +258,17 @@ def delete_test_suite_dialog(test_suite_id: str) -> None:
     )
 
     if not can_be_deleted:
-        st.markdown(
-            ":orange[This Test Suite has related data, which includes test definitions and may include test results. If you proceed, all related data will be permanently deleted.<br/>Are you sure you want to proceed?]",
-            unsafe_allow_html=True,
+        st.html(
+            """
+            <div style=\"color: rgb(217, 90, 0);\">
+                <span>
+                    This Test Suite has related data, which includes test definitions and may
+                    include test results. If you proceed, all related data will be permanently deleted.
+                </span>
+                <br/>
+                <span>Are you sure you want to proceed?</span>
+            </div>
+            """
         )
         accept_cascade_delete = st.toggle("I accept deletion of this Test Suite and all related TestGen data.")