CVE-2025-62780 - Stored XSS in Watch update via API

2025-10-30 14:17:40 +00:00 · 2025-10-28 09:26:17 +01:00
parent 8f580ac96b
commit 2116b2cb93
9 changed files with 65 additions and 22 deletions
--- a/changedetectionio/flask_app.py
+++ b/changedetectionio/flask_app.py
@@ -133,6 +133,11 @@ def get_socketio_path():
    # Socket.IO will be available at {prefix}/socket.io/
    return prefix

+@app.template_global('is_safe_url')
+def _is_safe_url(test_url):
+    from .html_tools import is_safe_url
+    return is_safe_url(test_url)
+

@app.template_filter('format_number_locale')
 def _jinja2_filter_format_number_locale(value: float) -> str: