From 29f89bfa08769a42906735d3a8eecb8ae828419b Mon Sep 17 00:00:00 2001 From: Karl Brown Date: Wed, 18 Sep 2024 17:35:55 -0400 Subject: [PATCH] Avoids potential XSS by escaping input before returning --- tests/test_wtf.py | 9 +++++++++ wtf_bot/wtf.py | 9 +++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/test_wtf.py b/tests/test_wtf.py index 85628d7..43c4742 100644 --- a/tests/test_wtf.py +++ b/tests/test_wtf.py @@ -99,3 +99,12 @@ def test_not_found(client): assert b"not found!" in r.data assert b"13231312334" in r.data assert r.status_code == http.HTTPStatus.OK + + +def test_xss_vule(client): + """Ensures that HTMl elements are properly escaped in the returned result""" + data = {"text": "<", "token": TEST_TOKENS[0]} + r = client.post(ROUTE, data=data) + assert b"not found!" in r.data + assert b"<<SCRIPT>alert('XSS');//\\<</SCRIPT>" in r.data + assert r.status_code == http.HTTPStatus.OK diff --git a/wtf_bot/wtf.py b/wtf_bot/wtf.py index 4482c5c..585a620 100644 --- a/wtf_bot/wtf.py +++ b/wtf_bot/wtf.py @@ -1,4 +1,5 @@ import csv +import html import http import requests @@ -61,12 +62,12 @@ def slack(): else: response = " - " + acronym_defined[0] - response = req["text"] + "\n" + response + response = html.escape(req["text"]) + "\n" + response except KeyError: - response = """ - Entry for '{}' not found! Acronyms may be added at + response = f""" + Entry for '{html.escape(req["text"])}' not found! Acronyms may be added at https://github.com/department-of-veterans-affairs/acronyms/blob/master/acronyms.csv - """.format(req["text"]) + """ return make_response(response)