feat(redesign): introduce new_base.html with waffle flag #4940
Conversation
The middleware checks a waffle flag to gradually roll out the new design when a requested view has a new template available.
- This file will use tailwind instead of bootstrap once tailwind support has been implemented. - Templates with new design should extend from new_base.html instead of the old one.
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| {# Default values are to ensure JS parsing even if 500 error thrown #} | ||
| var isMember = {{ user.profile.is_member|yesno:"true,false" }}, | ||
| userAlertCount = {{ user.docket_alerts.subscriptions.count|default:"0" }}, | ||
| priceRtAlerts = parseFloat({{ MIN_DONATION.rt_alerts|default:0 }}), |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., document.getElementById).
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Leave a nosemgrep comment directly above or at the end of line 165 like so // nosemgrep: generic.html-templates.security.var-in-script-tag.var-in-script-tag
Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.
You can view more details about this finding in the Semgrep AppSec Platform.
| <script type="text/javascript" nonce="{{ request.csp_nonce }}"> | ||
| {# Default values are to ensure JS parsing even if 500 error thrown #} | ||
| var isMember = {{ user.profile.is_member|yesno:"true,false" }}, | ||
| userAlertCount = {{ user.docket_alerts.subscriptions.count|default:"0" }}, |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., document.getElementById).
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Leave a nosemgrep comment directly above or at the end of line 164 like so // nosemgrep: generic.html-templates.security.var-in-script-tag.var-in-script-tag
Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.
You can view more details about this finding in the Semgrep AppSec Platform.
| <script type="text/javascript" src="{% static "js/base.js" %}"></script> | ||
| <script type="text/javascript" nonce="{{ request.csp_nonce }}"> | ||
| {# Default values are to ensure JS parsing even if 500 error thrown #} | ||
| var isMember = {{ user.profile.is_member|yesno:"true,false" }}, |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., document.getElementById).
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Leave a nosemgrep comment directly above or at the end of line 163 like so // nosemgrep: generic.html-templates.security.var-in-script-tag.var-in-script-tag
Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.
You can view more details about this finding in the Semgrep AppSec Platform.
| var isMember = {{ user.profile.is_member|yesno:"true,false" }}, | ||
| userAlertCount = {{ user.docket_alerts.subscriptions.count|default:"0" }}, | ||
| priceRtAlerts = parseFloat({{ MIN_DONATION.rt_alerts|default:0 }}), | ||
| maxFreeDocketAlerts = {{ MAX_FREE_DOCKET_ALERTS|default:0 }}, |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., document.getElementById).
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Leave a nosemgrep comment directly above or at the end of line 166 like so // nosemgrep: generic.html-templates.security.var-in-script-tag.var-in-script-tag
Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.
You can view more details about this finding in the Semgrep AppSec Platform.
| userAlertCount = {{ user.docket_alerts.subscriptions.count|default:"0" }}, | ||
| priceRtAlerts = parseFloat({{ MIN_DONATION.rt_alerts|default:0 }}), | ||
| maxFreeDocketAlerts = {{ MAX_FREE_DOCKET_ALERTS|default:0 }}, | ||
| recapBonusAlerts = {{ DOCKET_ALERT_RECAP_BONUS|default:0 }}; |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., document.getElementById).
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Leave a nosemgrep comment directly above or at the end of line 167 like so // nosemgrep: generic.html-templates.security.var-in-script-tag.var-in-script-tag
Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.
You can view more details about this finding in the Semgrep AppSec Platform.
There was a problem hiding this comment.
This looks pretty good! We will need a way of handling tests though, so that they pass. Maybe an easy way to handle this is to make sure that the flag for the new design is off by default, so that the tests continue running on the old design instead of the new. Then, when we're closer to being done, we can flip the default and make sure they work on the new design.
I think the rest looks good. This will be fun and weird.
|
Let's get tests passing before merging, but @ERosendo, it might be good to have your review now anyway, just to see if you think the design is a good direction. I like it, I think, but this is a weird project with a lot of ways to do things, so more perspectives is probably smart. |
The tests were indeed creating a flag that is on by default, as per waffle's config ( The issue with the tests was that we already had some templates that started with |
|
Oh no I broke the tests again 😮💨 I'll see what's going on |
|
The broken tests are those that are counting the queries executed ( |
|
@elisa-a-v I really like the middleware you created! It seems like your approach addresses @mlissner's concerns about testing. However, I have a slight concern regarding the While looking through the Django-waffle documentation, I came across some decorators that might make testing easier. There's one called I think exploring this alternative approach could be beneficial because it might also addresses Mike's concerns about the flag during testing, and it would save us an extra database query when loading pages. What do you think? |
|
Thanks @ERosendo ! You raise an important concern with the overhead introduced by the additional DB query, and now I see it makes no sense to keep that there. In practice, the only issue that the check is preventing is the automatic flag creation with a default Let's revert the last two commits and make sure we create the flag before merging. I see I have enough permissions to do it, shall I create it right away just for superusers and staff? @mlissner |
|
Checking the DB for a query like this is almost instant (the table is tiny and the OS will cache it), so I had accepted that it was going to be something we did. That aside though, I don't see how decorating the tests gets us out of doing the query. Whether or not the flag is true or false, we still have to check it, don't we? Anyway, I guess my stance is I think whatever we do here is fine to get the tests passing and the waffle in place. If we can avoid the query, great, but I don't see how except to use a setting, and that seems annoying to deal with. |
I don't think it does.
Well, the query is only useful while the flag doesn't exist, because we want to prevent waffle from creating it with a default Note the tests were initially failing not because of a flag that was on, but because of the prefix used that clashed with the preexisting The "cleanest" solution code-wise, imo, is reverting the last two commits (the ones that add the DB query and the tests patch), that way we use the plain |
|
Sounds good to me. Thanks for explaining again. |
|
Cool. Do we have a preferred way to undo commits? I kinda like |
|
Some around here have strong opinions. I'm happy with things that get it done. I'd probably reset and force, personally. :) |
elisa-a-v
force-pushed
the
4815-new-base.html
branch
from
55fea10 to
414380a
Compare
|
I'm going for it! Let's see how this goes and if needed, I can revert. Looks like the waffle is in place, so I think we should be good to go. |
|
Total success: https://bsky.app/profile/michaeljaylissner.com/post/3lgmyvtejis2a 🚀 |
Closes #4815
This PR adds a middleware that checks a waffle flag (
use_new_design) and changes the old template with the new one when a new template exists.It also includes a copy of
base.htmlwithout bootstrap, and a new template for the help index that extends from it, both of which need to be updated when tailwind support is ready; things do NOT look good!To identify the new template we prepend "v2_" to the old template name, which means if the old
template_nameincludes a dir, like"help/index.html", the new template should be in"v2_help/index.html"and NOT in"help/v2_index.html".