Skip to content

Commit

Permalink
Avoids potential XSS by escaping input before returning
Browse files Browse the repository at this point in the history
  • Loading branch information
karlbrown-va committed Sep 18, 2024
1 parent a1be9aa commit 29f89bf
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 4 deletions.
9 changes: 9 additions & 0 deletions tests/test_wtf.py
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,12 @@ def test_not_found(client):
assert b"not found!" in r.data
assert b"13231312334" in r.data
assert r.status_code == http.HTTPStatus.OK


def test_xss_vule(client):
"""Ensures that HTMl elements are properly escaped in the returned result"""
data = {"text": "<<SCRIPT>alert('XSS');//\<</SCRIPT>", "token": TEST_TOKENS[0]}
r = client.post(ROUTE, data=data)
assert b"not found!" in r.data
assert b"&lt;&lt;SCRIPT&gt;alert(&#x27;XSS&#x27;);//\\&lt;&lt;/SCRIPT&gt;" in r.data
assert r.status_code == http.HTTPStatus.OK
9 changes: 5 additions & 4 deletions wtf_bot/wtf.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import csv
import html
import http

import requests
Expand Down Expand Up @@ -61,12 +62,12 @@ def slack():
else:
response = " - " + acronym_defined[0]

response = req["text"] + "\n" + response
response = html.escape(req["text"]) + "\n" + response

except KeyError:
response = """
Entry for '{}' not found! Acronyms may be added at
response = f"""
Entry for '{html.escape(req["text"])}' not found! Acronyms may be added at
https://github.com/department-of-veterans-affairs/acronyms/blob/master/acronyms.csv
""".format(req["text"])
"""

return make_response(response)

0 comments on commit 29f89bf

Please sign in to comment.