sync: canary changes to preview

apps/api/plane/api/serializers/issue.py

@@ -22,6 +22,11 @@ from plane.db.models import (
     User,
     EstimatePoint,
 )
+from plane.utils.content_validator import (
+    validate_html_content,
+    validate_json_content,
+    validate_binary_data,
+)
 
 from .base import BaseSerializer
 from .cycle import CycleLiteSerializer, CycleSerializer
@@ -83,6 +88,22 @@ class IssueSerializer(BaseSerializer):
         except Exception:
             raise serializers.ValidationError("Invalid HTML passed")
 
+        # Validate description content for security
+        if data.get("description"):
+            is_valid, error_msg = validate_json_content(data["description"])
+            if not is_valid:
+                raise serializers.ValidationError({"description": error_msg})
+
+        if data.get("description_html"):
+            is_valid, error_msg = validate_html_content(data["description_html"])
+            if not is_valid:
+                raise serializers.ValidationError({"description_html": error_msg})
+
+        if data.get("description_binary"):
+            is_valid, error_msg = validate_binary_data(data["description_binary"])
+            if not is_valid:
+                raise serializers.ValidationError({"description_binary": error_msg})
+
         # Validate assignees are from project
         if data.get("assignees", []):
             data["assignees"] = ProjectMember.objects.filter(
@@ -648,7 +669,6 @@ class IssueExpandSerializer(BaseSerializer):
     assignees = serializers.SerializerMethodField()
     state = StateLiteSerializer(read_only=True)
 
-
     def get_labels(self, obj):
         expand = self.context.get("expand", [])
         if "labels" in expand:
@@ -666,7 +686,6 @@ class IssueExpandSerializer(BaseSerializer):
             ).data
         return [ia.assignee_id for ia in obj.issue_assignee.all()]
 
-
     class Meta:
         model = Issue
         fields = "__all__"

apps/api/plane/api/serializers/project.py

@@ -10,6 +10,10 @@ from plane.db.models import (
     Estimate,
 )
 
+from plane.utils.content_validator import (
+    validate_html_content,
+    validate_json_content,
+)
 from .base import BaseSerializer
 
 
@@ -191,6 +195,29 @@ class ProjectSerializer(BaseSerializer):
                 "Default assignee should be a user in the workspace"
             )
 
+        # Validate description content for security
+        if "description" in data and data["description"]:
+            # For Project, description might be text field, not JSON
+            if isinstance(data["description"], dict):
+                is_valid, error_msg = validate_json_content(data["description"])
+                if not is_valid:
+                    raise serializers.ValidationError({"description": error_msg})
+
+        if "description_text" in data and data["description_text"]:
+            is_valid, error_msg = validate_json_content(data["description_text"])
+            if not is_valid:
+                raise serializers.ValidationError({"description_text": error_msg})
+
+        if "description_html" in data and data["description_html"]:
+            if isinstance(data["description_html"], dict):
+                is_valid, error_msg = validate_json_content(data["description_html"])
+            else:
+                is_valid, error_msg = validate_html_content(
+                    str(data["description_html"])
+                )
+            if not is_valid:
+                raise serializers.ValidationError({"description_html": error_msg})
+
         return data
 
     def create(self, validated_data):