fix(security): escape user input in validation error HTML
format_validation_errors interpolated Pydantic error messages directly into HTML. Some messages echo user input (e.g. "Invalid group name '<name>'"), so a crafted group name was reflected as raw HTML — a stored/reflected XSS. HTML-escape each formatted message before interpolation. Refs: porchlight-due Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
437ad59658
commit
c52778326e
2 changed files with 16 additions and 1 deletions
|
|
@ -1,3 +1,4 @@
|
|||
import html
|
||||
import re
|
||||
from typing import Annotated
|
||||
from urllib.parse import urlparse
|
||||
|
|
@ -166,7 +167,9 @@ def format_validation_errors(exc: ValidationError) -> str:
|
|||
display_msg = f"{label}: {raw}"
|
||||
else:
|
||||
display_msg = f"{label}: {msg}"
|
||||
messages.append(display_msg)
|
||||
# Escape: messages can echo user input (e.g. an invalid group name),
|
||||
# and the result is interpolated into HTML below.
|
||||
messages.append(html.escape(display_msg))
|
||||
|
||||
if len(messages) == 1:
|
||||
return f'<div role="alert">{messages[0]}</div>'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue