From b3dfd1c353a49e82495074599c9cbf33811cd2dd Mon Sep 17 00:00:00 2001
From: bu <69127692+SCH227@users.noreply.github.com>
Date: Sat, 28 Jun 2025 14:50:18 -0400
Subject: [PATCH] [v3-0-test] Sanitize Username (#52419)

Escape user.username in flash banners to prevent potential HTML injection
(cherry picked from commit fb94109212b53fb71e40f0378df861dcd98e67b3)

Co-authored-by: bu <69127692+SCH227@users.noreply.github.com>
---
 .../fab/auth_manager/security_manager/override.py         | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
index 7cb4377a956e8..5f1653db990a8 100644
--- a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
+++ b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
@@ -61,7 +61,7 @@
 from flask_jwt_extended import JWTManager
 from flask_login import LoginManager
 from itsdangerous import want_bytes
-from markupsafe import Markup
+from markupsafe import Markup, escape
 from sqlalchemy import func, inspect, or_, select
 from sqlalchemy.exc import MultipleResultsFound
 from sqlalchemy.orm import joinedload
@@ -539,8 +539,9 @@ def reset_user_sessions(self, user: User) -> None:
             user_session_model = interface.sql_session_model
             num_sessions = session.query(user_session_model).count()
             if num_sessions > MAX_NUM_DATABASE_USER_SESSIONS:
+                safe_username = escape(user.username)
                 self._cli_safe_flash(
-                    f"The old sessions for user {user.username} have <b>NOT</b> been deleted!<br>"
+                    f"The old sessions for user {safe_username} have <b>NOT</b> been deleted!<br>"
                     f"You have a lot ({num_sessions}) of user sessions in the 'SESSIONS' table in "
                     f"your database.<br> "
                     "This indicates that this deployment might have an automated API calls that create "
@@ -557,9 +558,10 @@ def reset_user_sessions(self, user: User) -> None:
                         session.delete(s)
                 session.commit()
         else:
+            safe_username = escape(user.username)
             self._cli_safe_flash(
                 "Since you are using `securecookie` session backend mechanism, we cannot prevent "
-                f"some old sessions for user {user.username} to be reused.<br> If you want to make sure "
+                f"some old sessions for user {safe_username} to be reused.<br> If you want to make sure "
                 "that the user is logged out from all sessions, you should consider using "
                 "`database` session backend mechanism.<br> You can also change the 'secret_key` "
                 "webserver configuration for all your webserver instances and restart the webserver. "