Skip to content

Escape user.username in flash banners for admin password-reset via UI #52419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 28, 2025
Merged

Escape user.username in flash banners for admin password-reset via UI #52419

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
from flask_jwt_extended import JWTManager
from flask_login import LoginManager
from itsdangerous import want_bytes
from markupsafe import Markup
from markupsafe import Markup, escape
from sqlalchemy import func, inspect, or_, select
from sqlalchemy.exc import MultipleResultsFound
from sqlalchemy.orm import joinedload
Expand Down Expand Up @@ -547,8 +547,9 @@ def reset_user_sessions(self, user: User) -> None:
user_session_model = interface.sql_session_model
num_sessions = session.query(user_session_model).count()
if num_sessions > MAX_NUM_DATABASE_USER_SESSIONS:
safe_username = escape(user.username)
self._cli_safe_flash(
f"The old sessions for user {user.username} have <b>NOT</b> been deleted!<br>"
f"The old sessions for user {safe_username} have <b>NOT</b> been deleted!<br>"
f"You have a lot ({num_sessions}) of user sessions in the 'SESSIONS' table in "
f"your database.<br> "
"This indicates that this deployment might have an automated API calls that create "
Expand All @@ -565,9 +566,10 @@ def reset_user_sessions(self, user: User) -> None:
session.delete(s)
session.commit()
else:
safe_username = escape(user.username)
self._cli_safe_flash(
"Since you are using `securecookie` session backend mechanism, we cannot prevent "
f"some old sessions for user {user.username} to be reused.<br> If you want to make sure "
f"some old sessions for user {safe_username} to be reused.<br> If you want to make sure "
"that the user is logged out from all sessions, you should consider using "
"`database` session backend mechanism.<br> You can also change the 'secret_key` "
"webserver configuration for all your webserver instances and restart the webserver. "
Expand Down