From ae0474450f067e2b296e3e74f3d1744f32d2d9c7 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Thu, 26 Mar 2026 07:36:02 -0700
Subject: [PATCH] Chore: logger, response and template sanitization cleanup
 (#12439)

---
 src/documents/templates/account/login.html    | 10 +++++-----
 .../templates/account/password_reset.html     |  4 ++--
 .../account/password_reset_from_key.html      |  8 ++++----
 .../account/password_reset_from_key_done.html |  2 +-
 src/documents/templates/account/signup.html   | 20 +++++++++----------
 src/documents/templates/mfa/authenticate.html |  6 +++---
 .../socialaccount/authentication_error.html   |  2 +-
 .../templates/socialaccount/login.html        |  4 +++-
 .../templates/socialaccount/signup.html       | 14 +++++++------
 src/documents/views.py                        |  5 ++++-
 src/documents/workflows/actions.py            | 13 ++++++------
 .../templates/email_msg_template.html         | 19 ++++++++----------
 src/paperless_mail/tests/test_mail_oauth.py   |  5 ++++-
 src/paperless_mail/views.py                   | 15 ++++++++------
 14 files changed, 69 insertions(+), 58 deletions(-)

diff --git a/src/documents/templates/account/login.html b/src/documents/templates/account/login.html
index 767c21d7c..c66fa6e44 100644
--- a/src/documents/templates/account/login.html
+++ b/src/documents/templates/account/login.html
@@ -9,7 +9,7 @@
     <p>
       {% translate "Please sign in." %}
       {% if ACCOUNT_ALLOW_SIGNUPS %}
-          <br/>{% blocktrans %}Don't have an account yet? <a href="{{ signup_url }}">Sign up</a>{% endblocktrans %}
+          <br/>{% translate "Don't have an account yet?" %} <a href="{{ signup_url }}">{% translate "Sign up" %}</a>
       {% endif %}
     </p>
 {% endblock form_top_content %}
@@ -25,12 +25,12 @@
         {% translate "Username" as i18n_username %}
         {% translate "Password" as i18n_password %}
         <div class="form-floating form-stacked-top">
-            <input type="text" name="login" id="inputUsername" placeholder="{{ i18n_username }}" class="form-control" autocorrect="off" autocapitalize="none" required autofocus>
-            <label for="inputUsername">{{ i18n_username }}</label>
+            <input type="text" name="login" id="inputUsername" placeholder="{{ i18n_username|force_escape }}" class="form-control" autocorrect="off" autocapitalize="none" required autofocus>
+            <label for="inputUsername">{{ i18n_username|force_escape }}</label>
         </div>
         <div class="form-floating form-stacked-bottom">
-            <input type="password" name="password" id="inputPassword" placeholder="{{ i18n_password }}" class="form-control" required>
-            <label for="inputPassword">{{ i18n_password }}</label>
+            <input type="password" name="password" id="inputPassword" placeholder="{{ i18n_password|force_escape }}" class="form-control" required>
+            <label for="inputPassword">{{ i18n_password|force_escape }}</label>
         </div>
         <div class="d-grid mt-3">
             <button class="btn btn-lg btn-primary" type="submit">{% translate "Sign in" %}</button>
diff --git a/src/documents/templates/account/password_reset.html b/src/documents/templates/account/password_reset.html
index 019babd52..64629c76d 100644
--- a/src/documents/templates/account/password_reset.html
+++ b/src/documents/templates/account/password_reset.html
@@ -14,8 +14,8 @@
     {% endif %}
     {% translate "Email" as i18n_email %}
     <div class="form-floating">
-        <input type="email" name="{{form.email.name}}" id="inputEmail" placeholder="{{ i18n_email }}" class="form-control" required>
-        <label for="inputEmail">{{ i18n_email }}</label>
+        <input type="email" name="{{form.email.name}}" id="inputEmail" placeholder="{{ i18n_email|force_escape }}" class="form-control" required>
+        <label for="inputEmail">{{ i18n_email|force_escape }}</label>
     </div>
     <div class="d-grid mt-3">
         <button class="btn btn-lg btn-primary" type="submit">{% translate "Send me instructions!" %}</button>
diff --git a/src/documents/templates/account/password_reset_from_key.html b/src/documents/templates/account/password_reset_from_key.html
index a9b2c3406..bc06ee85c 100644
--- a/src/documents/templates/account/password_reset_from_key.html
+++ b/src/documents/templates/account/password_reset_from_key.html
@@ -17,12 +17,12 @@
         {% translate "New Password" as i18n_new_password1 %}
         {% translate "Confirm Password" as i18n_new_password2 %}
         <div class="form-floating form-stacked-top">
-            <input type="password" name="{{form.password1.name}}" id="inputPassword1" placeholder="{{ i18n_new_password1 }}" class="form-control" required>
-            <label for="inputPassword1">{{ i18n_new_password1 }}</label>
+            <input type="password" name="{{form.password1.name}}" id="inputPassword1" placeholder="{{ i18n_new_password1|force_escape }}" class="form-control" required>
+            <label for="inputPassword1">{{ i18n_new_password1|force_escape }}</label>
         </div>
         <div class="form-floating form-stacked-bottom">
-            <input type="password" name="{{form.password2.name}}" id="inputPassword2" placeholder="{{ i18n_new_password2 }}" class="form-control" required>
-            <label for="inputPassword2">{{ i18n_new_password2 }}</label>
+            <input type="password" name="{{form.password2.name}}" id="inputPassword2" placeholder="{{ i18n_new_password2|force_escape }}" class="form-control" required>
+            <label for="inputPassword2">{{ i18n_new_password2|force_escape }}</label>
         </div>
         <div class="d-grid mt-3">
             <button class="btn btn-lg btn-primary" type="submit">{% translate "Change my password" %}</button>
diff --git a/src/documents/templates/account/password_reset_from_key_done.html b/src/documents/templates/account/password_reset_from_key_done.html
index 420901a6c..4909ea9be 100644
--- a/src/documents/templates/account/password_reset_from_key_done.html
+++ b/src/documents/templates/account/password_reset_from_key_done.html
@@ -11,5 +11,5 @@
 
 {% block form_content %}
     {% url 'account_login' as login_url %}
-    <p>{% blocktranslate %}Your new password has been set. You can now <a href="{{ login_url }}">log in</a>{% endblocktranslate %}.</p>
+    <p>{% translate "Your new password has been set. You can now" %} <a href="{{ login_url }}">{% translate "log in" %}</a>.</p>
 {% endblock form_content %}
diff --git a/src/documents/templates/account/signup.html b/src/documents/templates/account/signup.html
index 9ab79d3df..000cd6366 100644
--- a/src/documents/templates/account/signup.html
+++ b/src/documents/templates/account/signup.html
@@ -8,7 +8,7 @@
 {% block form_top_content %}
 		{% if not FIRST_INSTALL %}
 			<p>
-					{% blocktrans %}Already have an account? <a href="{{ login_url }}">Sign in</a>{% endblocktrans %}
+					{% translate "Already have an account?" %} <a href="{{ login_url }}">{% translate "Sign in" %}</a>
 			</p>
 		{% endif %}
 {% endblock form_top_content %}
@@ -16,7 +16,7 @@
 {% block form_content %}
 		{% if FIRST_INSTALL %}
 			<p>
-				{% blocktrans %}Note: This is the first user account for this installation and will be granted superuser privileges.{% endblocktrans %}
+				{% translate "Note: This is the first user account for this installation and will be granted superuser privileges." %}
 			</p>
 		{% endif %}
     {% translate "Username" as i18n_username %}
@@ -24,20 +24,20 @@
     {% translate "Password" as i18n_password1 %}
     {% translate "Password (again)" as i18n_password2 %}
     <div class="form-floating form-stacked-top">
-        <input type="text" name="username" id="inputUsername" placeholder="{{ i18n_username }}" class="form-control" autocorrect="off" autocapitalize="none" required autofocus>
-        <label for="inputUsername">{{ i18n_username }}</label>
+        <input type="text" name="username" id="inputUsername" placeholder="{{ i18n_username|force_escape }}" class="form-control" autocorrect="off" autocapitalize="none" required autofocus>
+        <label for="inputUsername">{{ i18n_username|force_escape }}</label>
     </div>
     <div class="form-floating form-stacked-middle">
-        <input type="email" name="email" id="inputEmail" placeholder="{{ i18n_email }}" class="form-control">
-        <label for="inputEmail">{{ i18n_email }}</label>
+        <input type="email" name="email" id="inputEmail" placeholder="{{ i18n_email|force_escape }}" class="form-control">
+        <label for="inputEmail">{{ i18n_email|force_escape }}</label>
     </div>
     <div class="form-floating form-stacked-middle">
-        <input type="password" name="password1" id="inputPassword1" placeholder="{{ i18n_password1 }}" class="form-control" required>
-        <label for="inputPassword1">{{ i18n_password1 }}</label>
+        <input type="password" name="password1" id="inputPassword1" placeholder="{{ i18n_password1|force_escape }}" class="form-control" required>
+        <label for="inputPassword1">{{ i18n_password1|force_escape }}</label>
     </div>
     <div class="form-floating form-stacked-bottom">
-        <input type="password" name="password2" id="inputPassword2" placeholder="{{ i18n_password2 }}" class="form-control" required>
-        <label for="inputPassword2">{{ i18n_password2 }}</label>
+        <input type="password" name="password2" id="inputPassword2" placeholder="{{ i18n_password2|force_escape }}" class="form-control" required>
+        <label for="inputPassword2">{{ i18n_password2|force_escape }}</label>
     </div>
     <div class="d-grid mt-3">
         <button class="btn btn-lg btn-primary" type="submit">{% translate "Sign up" %}</button>
diff --git a/src/documents/templates/mfa/authenticate.html b/src/documents/templates/mfa/authenticate.html
index cfc29da2b..e86565189 100644
--- a/src/documents/templates/mfa/authenticate.html
+++ b/src/documents/templates/mfa/authenticate.html
@@ -9,15 +9,15 @@
 
 {% block form_top_content %}
 	<p>
-		{% blocktranslate %}Your account is protected by two-factor authentication. Please enter an authenticator code:{% endblocktranslate %}
+		{% translate "Your account is protected by two-factor authentication. Please enter an authenticator code:" %}
 	</p>
 {% endblock form_top_content %}
 
 {% block form_content %}
 {% translate "Code" as i18n_code %}
 <div class="form-floating">
-		<input type="code" name="code" id="inputCode" autocomplete="one-time-code" placeholder="{{ i18n_code }}" class="form-control" required autofocus>
-		<label for="inputCode">{{ i18n_code }}</label>
+		<input type="code" name="code" id="inputCode" autocomplete="one-time-code" placeholder="{{ i18n_code|force_escape }}" class="form-control" required autofocus>
+		<label for="inputCode">{{ i18n_code|force_escape }}</label>
 </div>
 <div class="d-grid mt-3">
 		<button class="btn btn-lg btn-primary" type="submit">{% translate "Sign in" %}</button>
diff --git a/src/documents/templates/socialaccount/authentication_error.html b/src/documents/templates/socialaccount/authentication_error.html
index 6450a1678..8891f924e 100644
--- a/src/documents/templates/socialaccount/authentication_error.html
+++ b/src/documents/templates/socialaccount/authentication_error.html
@@ -7,5 +7,5 @@
 
 {% block form_content %}
     {% url 'account_login' as login_url %}
-    <p>{% blocktranslate %}An error occurred while attempting to login via your social network account. Back to the <a href="{{ login_url }}">login page</a>{% endblocktranslate %}</p>
+    <p>{% translate "An error occurred while attempting to login via your social network account. Back to the" %} <a href="{{ login_url }}">{% translate "login page" %}</a></p>
 {% endblock form_content %}
diff --git a/src/documents/templates/socialaccount/login.html b/src/documents/templates/socialaccount/login.html
index 70c71ced2..4e2e595a0 100644
--- a/src/documents/templates/socialaccount/login.html
+++ b/src/documents/templates/socialaccount/login.html
@@ -7,7 +7,9 @@
 
 {% block form_content %}
     <p>
-        {% blocktrans with provider.name as provider %}You are about to connect a new third-party account from {{ provider }}.{% endblocktrans %}
+        {% filter force_escape %}
+            {% blocktrans with provider=provider.name %}You are about to connect a new third-party account from {{ provider }}.{% endblocktrans %}
+        {% endfilter %}
     </p>
     <div class="d-grid mt-3">
         <button class="btn btn-lg btn-primary" type="submit">{% translate "Continue" %}</button>
diff --git a/src/documents/templates/socialaccount/signup.html b/src/documents/templates/socialaccount/signup.html
index 01f70a524..cf84ea935 100644
--- a/src/documents/templates/socialaccount/signup.html
+++ b/src/documents/templates/socialaccount/signup.html
@@ -7,18 +7,20 @@
 
 {% block form_content %}
     <p>
-        {% blocktrans with provider_name=account.get_provider.name %}You are about to use your {{provider_name}} account to login.{% endblocktrans %}
-        {% blocktrans %}As a final step, please complete the following form:{% endblocktrans %}
+        {% filter force_escape %}
+            {% blocktrans with provider_name=account.get_provider.name %}You are about to use your {{ provider_name }} account to login.{% endblocktrans %}
+        {% endfilter %}
+        {% translate "As a final step, please complete the following form:" %}
     </p>
     {% translate "Username" as i18n_username %}
     {% translate "Email (optional)" as i18n_email %}
     <div class="form-floating form-stacked-top">
-        <input type="text" name="{{ form.username.name }}" id="inputUsername" placeholder="{{ i18n_username }}" class="form-control" autocorrect="off" autocapitalize="none" required autofocus value="{{ form.username.value }}">
-        <label for="inputUsername">{{ i18n_username }}</label>
+        <input type="text" name="{{ form.username.name }}" id="inputUsername" placeholder="{{ i18n_username|force_escape }}" class="form-control" autocorrect="off" autocapitalize="none" required autofocus value="{{ form.username.value }}">
+        <label for="inputUsername">{{ i18n_username|force_escape }}</label>
     </div>
     <div class="form-floating form-stacked-bottom">
-        <input type="email" name="{{ form.email.name }}" id="inputEmail" placeholder="{{ i18n_email }}" class="form-control" autocorrect="off" autocapitalize="none" autofocus value="{{ form.email.value }}">
-        <label for="inputEmail">{{ i18n_email }}</label>
+        <input type="email" name="{{ form.email.name }}" id="inputEmail" placeholder="{{ i18n_email|force_escape }}" class="form-control" autocorrect="off" autocapitalize="none" autofocus value="{{ form.email.value }}">
+        <label for="inputEmail">{{ i18n_email|force_escape }}</label>
     </div>
     {% if redirect_field_value %}
         <input type="hidden" name="{{ redirect_field_name }}" value="{{ redirect_field_value }}" />
diff --git a/src/documents/views.py b/src/documents/views.py
index 0716ce66d..600acf078 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -2027,7 +2027,10 @@ class UnifiedSearchViewSet(DocumentViewSet):
             except NotFound:
                 raise
             except PermissionDenied as e:
-                return HttpResponseForbidden(str(e.detail))
+                invalid_more_like_id_message = _("Invalid more_like_id")
+                if str(e.detail) == str(invalid_more_like_id_message):
+                    return HttpResponseForbidden(invalid_more_like_id_message)
+                return HttpResponseForbidden(_("Insufficient permissions."))
             except Exception as e:
                 logger.warning(f"An error occurred listing search results: {e!s}")
                 return HttpResponseBadRequest(
diff --git a/src/documents/workflows/actions.py b/src/documents/workflows/actions.py
index 46d9f5c4a..9744048e5 100644
--- a/src/documents/workflows/actions.py
+++ b/src/documents/workflows/actions.py
@@ -282,7 +282,7 @@ def execute_password_removal_action(
     passwords = action.passwords
     if not passwords:
         logger.warning(
-            "Password removal action %s has no passwords configured",
+            "Workflow action %s has no configured unlock values",
             action.pk,
             extra={"group": logging_group},
         )
@@ -321,22 +321,23 @@ def execute_password_removal_action(
                 user=document.owner,
             )
             logger.info(
-                "Removed password from document %s using workflow action %s",
+                "Unlocked document %s using workflow action %s",
                 document.pk,
                 action.pk,
                 extra={"group": logging_group},
             )
             return
-        except ValueError as e:
+        except ValueError:
             logger.warning(
-                "Password removal failed for document %s with supplied password: %s",
+                "Workflow action %s could not unlock document %s with one configured value",
+                action.pk,
                 document.pk,
-                e,
                 extra={"group": logging_group},
             )
 
     logger.error(
-        "Password removal failed for document %s after trying all provided passwords",
+        "Workflow action %s could not unlock document %s with any configured value",
+        action.pk,
         document.pk,
         extra={"group": logging_group},
     )
diff --git a/src/paperless_mail/templates/email_msg_template.html b/src/paperless_mail/templates/email_msg_template.html
index a22666957..9df67e997 100644
--- a/src/paperless_mail/templates/email_msg_template.html
+++ b/src/paperless_mail/templates/email_msg_template.html
@@ -1,4 +1,3 @@
-{% autoescape off %}
 <!doctype html>
 <html>
 
@@ -13,36 +12,34 @@
     <!-- Header -->
     <div class="grid gap-x-2 bg-slate-200 p-4">
 
-      <div class="col-start-9 col-span-4 row-start-1 text-right">{{ date }}</div>
+      <div class="col-start-9 col-span-4 row-start-1 text-right">{{ date|safe }}</div>
 
       <div class="col-start-1 row-start-1 text-slate-400 text-right">{{ from_label }}</div>
-      <div class="col-start-2 col-span-7 row-start-1">{{ from }}</div>
+      <div class="col-start-2 col-span-7 row-start-1">{{ from|safe }}</div>
 
       <div class="col-start-1 row-start-2 text-slate-400 text-right">{{ subject_label }}</div>
-      <div class=" col-start-2 col-span-10 row-start-2 font-bold">{{ subject }}</div>
+      <div class=" col-start-2 col-span-10 row-start-2 font-bold">{{ subject|safe }}</div>
 
       <div class="col-start-1 row-start-3 text-slate-400 text-right">{{ to_label }}</div>
-      <div class="col-start-2 col-span-10 row-start-3 text-sm my-0.5">{{ to }}</div>
+      <div class="col-start-2 col-span-10 row-start-3 text-sm my-0.5">{{ to|safe }}</div>
 
       <div class="col-start-1 row-start-4 text-slate-400 text-right">{{ cc_label }}</div>
-      <div class="col-start-2 col-span-10 row-start-4 text-sm my-0.5">{{ cc }}</div>
+      <div class="col-start-2 col-span-10 row-start-4 text-sm my-0.5">{{ cc|safe }}</div>
 
       <div class="col-start-1 row-start-5 text-slate-400 text-right">{{ bcc_label }}</div>
-      <div class="col-start-2 col-span-10 row-start-5" text-sm my-0.5>{{ bcc }}</div>
+      <div class="col-start-2 col-span-10 row-start-5" text-sm my-0.5>{{ bcc|safe }}</div>
 
 			<div class="col-start-1 row-start-6	 text-slate-400 text-right">{{ attachments_label }}</div>
-      <div class="col-start-2 col-span-10 row-start-6">{{ attachments }}</div>
+      <div class="col-start-2 col-span-10 row-start-6">{{ attachments|safe }}</div>
     </div>
 
     <!-- Separator-->
     <div class="border-t border-solid border-b w-full h-[1px] box-content border-black mb-5 bg-slate-200"></div>
 
     <!-- Content-->
-    <div class="w-full break-words">{{ content }}</div>
+    <div class="w-full break-words">{{ content|safe }}</div>
 	</div>
 
 </body>
 
 </html>
-
-{% endautoescape %}
diff --git a/src/paperless_mail/tests/test_mail_oauth.py b/src/paperless_mail/tests/test_mail_oauth.py
index 651094673..d94e7947b 100644
--- a/src/paperless_mail/tests/test_mail_oauth.py
+++ b/src/paperless_mail/tests/test_mail_oauth.py
@@ -191,7 +191,10 @@ class TestMailOAuth(
                 ).exists(),
             )
 
-            self.assertIn("Error getting access token: test_error", cm.output[0])
+            self.assertIn(
+                "Error getting access token from OAuth provider",
+                cm.output[0],
+            )
 
     def test_oauth_callback_view_insufficient_permissions(self) -> None:
         """
diff --git a/src/paperless_mail/views.py b/src/paperless_mail/views.py
index b8ac2c485..2593797f3 100644
--- a/src/paperless_mail/views.py
+++ b/src/paperless_mail/views.py
@@ -138,13 +138,16 @@ class MailAccountViewSet(ModelViewSet, PassUserMixin):
                         existing_account.refresh_from_db()
                         account.password = existing_account.password
                     else:
+                        logger.error(
+                            "Mail account connectivity test failed: Unable to refresh oauth token",
+                        )
                         raise MailError("Unable to refresh oauth token")
 
                 mailbox_login(M, account)
                 return Response({"success": True})
-            except MailError as e:
+            except MailError:
                 logger.error(
-                    f"Mail account {account} test failed: {e}",
+                    "Mail account connectivity test failed",
                 )
                 return HttpResponseBadRequest("Unable to connect to server")
 
@@ -218,7 +221,7 @@ class OauthCallbackView(GenericAPIView):
 
         if code is None:
             logger.error(
-                f"Invalid oauth callback request, code: {code}, scope: {scope}",
+                "Invalid oauth callback request: missing code",
             )
             return HttpResponseBadRequest("Invalid request, see logs for more detail")
 
@@ -229,7 +232,7 @@ class OauthCallbackView(GenericAPIView):
         state = request.query_params.get("state", "")
         if not oauth_manager.validate_state(state):
             logger.error(
-                f"Invalid oauth callback request received state: {state}, expected: {oauth_manager.state}",
+                "Invalid oauth callback request: state validation failed",
             )
             return HttpResponseBadRequest("Invalid request, see logs for more detail")
 
@@ -276,8 +279,8 @@ class OauthCallbackView(GenericAPIView):
             return HttpResponseRedirect(
                 f"{oauth_manager.oauth_redirect_url}?oauth_success=1&account_id={account.pk}",
             )
-        except GetAccessTokenError as e:
-            logger.error(f"Error getting access token: {e}")
+        except GetAccessTokenError:
+            logger.error("Error getting access token from OAuth provider")
             return HttpResponseRedirect(
                 f"{oauth_manager.oauth_redirect_url}?oauth_success=0",
             )