Merge pull request #1390 from NHSDigital/feature/fix-xss

MatMoore · web-flow · commit 0d079cb2bd06 · 2026-04-29T10:04:04.000+01:00
Fix XSS in Special Appointment Banner
diff --git a/manage_breast_screening/mammograms/jinja2/mammograms/special_appointments/special_appointment_banner.jinja b/manage_breast_screening/mammograms/jinja2/mammograms/special_appointments/special_appointment_banner.jinja
@@ -6,21 +6,19 @@
       {% set rows = [] %}
       {% for reason in presented_special_appointment.reasons %}
         {# Build the value content (details) #}
-        {% set value_content = "" %}
+        {% set value = {} %}
         {% if reason.details %}
-          {% set value_content = reason.details %}
+          {% set value = {"html": reason.details | e} %}
         {% else %}
-          {% set value_content = "<span class=\"nhsuk-u-secondary-text-colour\">No details provided</span>" %}
+          {% set value = {"html": "<span class=\"nhsuk-u-secondary-text-colour\">No details provided</span>"} %}
         {% endif %}
 
         {# Add row for this support reason #}
         {% do rows.append({
           "key": {
             "text": reason.label
           },
-          "value": {
-            "html": value_content | safe
-          }
+          "value": value
         }) %}
       {% endfor %}
       {{ summaryList({
diff --git a/manage_breast_screening/mammograms/tests/jinja2/test_special_appointment_banner.py b/manage_breast_screening/mammograms/tests/jinja2/test_special_appointment_banner.py
@@ -112,3 +112,51 @@ def test_special_appointment_banner_without_change_link(jinja_env, presenter):
         </div>
     """,
     )
+
+
+def test_special_appointment_banner_escapes_malicious_details(jinja_env):
+    malicious_details = "<script>alert(1)</script>"
+    presenter = SpecialAppointmentPresenter(
+        {
+            "PHYSICAL_RESTRICTION": {
+                "details": malicious_details,
+            }
+        },
+        "68d758d0-792d-430f-9c52-1e7a0c2aa1dd",
+    )
+
+    template = jinja_env.from_string(
+        dedent(
+            r"""
+                {% from 'mammograms/special_appointments/special_appointment_banner.jinja' import special_appointment_banner %}
+                {{ special_appointment_banner(presenter, show_change_link=False) }}
+                """
+        )
+    )
+
+    response = template.render({"presenter": presenter})
+
+    assertHTMLEqual(
+        response,
+        """
+        <div class="nhsuk-card nhsuk-card--warning">
+            <div class="nhsuk-card__content">
+                <h3 class="nhsuk-card__heading"><span role="text">
+                <span class="nhsuk-u-visually-hidden">Important: </span>
+                Special appointment
+                </span></h3>
+
+                <dl class="nhsuk-summary-list app-special-appointment-banner">
+                    <div class="nhsuk-summary-list__row">
+                        <dt class="nhsuk-summary-list__key">
+                        Physical restriction
+                        </dt>
+                        <dd class="nhsuk-summary-list__value">
+                        &lt;script&gt;alert(1)&lt;/script&gt;
+                        </dd>
+                    </div>
+                </dl>
+            </div>
+        </div>
+        """,
+    )
