From 8bc1c1b4668f60149b9071dcd977fdc5ca057780 Mon Sep 17 00:00:00 2001
From: Mike McLean <mikem@redhat.com>
Date: Tue, 6 May 2025 11:19:27 -0400
Subject: [PATCH] fix bandit B704

---
 .bandit.yaml            | 3 +++
 tox.ini                 | 2 +-
 www/lib/kojiweb/util.py | 9 ++++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 .bandit.yaml

diff --git a/.bandit.yaml b/.bandit.yaml
new file mode 100644
index 00000000..2d8b5401
--- /dev/null
+++ b/.bandit.yaml
@@ -0,0 +1,3 @@
+markupsafe_xss:
+    allowed_calls:
+        - _MarkTrustedValue
diff --git a/tox.ini b/tox.ini
index 2ceede75..972e6b32 100644
--- a/tox.ini
+++ b/tox.ini
@@ -91,7 +91,7 @@ deps =
     bandit
 allowlist_externals = bandit
 commands =
-    bandit -ll -s B108,B608 -r \
+    bandit -c .bandit.yaml -ll -s B108,B608 -r \
         builder cli kojihub koji plugins util vm www \
         builder/kojid \
         cli/koji \
diff --git a/www/lib/kojiweb/util.py b/www/lib/kojiweb/util.py
index db3fe6f1..2246f6e3 100644
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@@ -128,7 +128,14 @@ def themePath(path, local=False):
 
 # previously we had a custom SafeValue class here, but the Markup class does the same thing better
 def SafeValue(value):
-    return Markup(value)
+    """Mark a value as safe so that the template will not escape it"""
+    # NOTE: this function should only be used in places where we trust the value
+
+    def _MarkTrustedValue(value):
+        # wrapper to keep Bandit B704 from complaining
+        return value
+
+    return Markup(_MarkTrustedValue(value))
 
 
 def safe_return(func):