Sanitize rendered custom link HTML

[jeremystretch]

NetBox version

v3.4.7

Feature type

Change to existing functionality

Proposed functionality

Custom links enable users to craft customized buttons in the UI relevant to particular objects. Both the link URL and text can be rendered from a Jinja2 template.

This FR proposes sanitizing the rendered URL and text to guard against potentially malicious content. We should be able to utilize the clean_html() utility function already in place for this purpose. The sanitization would occur after either piece of content has been fully rendered by the Jinja2 engine.

Use case

Ensures well-formed content and mitigates the risk of users crafting malicious links.

Database changes

No response

External dependencies

No response

[jeremystretch]

Thanks @x64x6a for implementing this in 89fa546!

[x64x6a]

Sorry, but I just noticed that my commit has a bug that encodes '%' and '=', so links with GET parameters or URL encoded values would be failing.

I believe this line - 89fa546#diff-7cd550a7e9a8bf633ee98ba17fdb140a64186bf257070850a6edc93e09b00004R282

        link = urllib.parse.quote_plus(link, safe='/:?&')

Would need to add '%=' to safe in order for them to be ignored so they are not encoded:

        link = urllib.parse.quote_plus(link, safe='/:?&%=')

[x64x6a]

Should we create a separate issue to resolve that issue or re-open this ticket?
I created a fork of the change - 032d4e1

[jeremystretch]

@x64x6a thanks for catching that. I've opened #12355 to track this if you'd like to submit a PR from your fork.