store more parameters in import settings

[valentijnscholten]

There are some more useful fields to store for context/reference, i.e. the service field.

[dryrunsecurity]

This pull request contains a high-severity potential Cross-Site Scripting issue: an HTML string is constructed using interpolated values from test_import.import_settings, wrapped with Django's mark_safe, and although each value is passed through esc(...), mark_safe disables auto-escaping so if esc does not guarantee safe, context-appropriate escaping, user-controlled data could reach the HTML sink unescaped and enable XSS. The finding is non-blocking but flagged as risky and should be fixed by ensuring proper, context-aware escaping or avoiding mark_safe.

🟠 Potential Cross-Site Scripting in dojo/templatetags/display_tags.py (drs_aaf7c0bb)

Vulnerability

Potential Cross-Site Scripting

Description

The code builds an HTML string and returns it wrapped in Django's mark_safe after interpolating multiple values from test_import.import_settings. While each value is passed through esc(...), the final HTML is marked safe which bypasses Django auto-escaping; if esc does not reliably produce HTML-escaped (or otherwise context-appropriate escaped) strings for all inputs, user-controlled data could reach the HTML sink unescaped, causing XSS.

django-DefectDojo/dojo/templatetags/display_tags.py

Lines 1123 to 1126 in 73e5f83

	return mark_safe(html % (icon, color, icon, *common_fields, endpoints, *extra_fields))
	return mark_safe(html % (icon, color, icon, *common_fields, esc(s.get("locations", None)), *extra_fields))

---

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

[mtesauro]

Approved