Escape user-defined text in API responses

KerbalStuff/blueprints/api.py

@@ -6,16 +6,15 @@
 from functools import wraps
 from typing import Dict, Any, Callable, Optional, Tuple, Iterable, List, Union
 
-import bcrypt
-from flask import Blueprint, url_for, current_app, request, abort
+from flask import Blueprint, url_for, current_app, request, abort, escape
 from flask_login import login_user, current_user
 from sqlalchemy import desc, asc
 from werkzeug.utils import secure_filename
 
 from .accounts import check_password_criteria
 from ..ckan import send_to_ckan, notify_ckan
 from ..common import json_output, paginate_query, with_session, get_paginated_mods, json_response, \
-    check_mod_editable, set_game_info, TRUE_STR, get_page
+    check_mod_editable, set_game_info, TRUE_STR, get_page, sanitize_text
 from ..config import _cfg, _cfgi
 from ..database import db
 from ..email import send_update_notification, send_grant_notice, send_password_changed
@@ -40,47 +39,47 @@
 # some helper functions to keep things consistent
 def user_info(user: User) -> Dict[str, Any]:
     return {
-        "username": user.username,
-        "description": user.description,
-        "forumUsername": user.forumUsername,
-        "ircNick": user.ircNick,
-        "twitterUsername": user.twitterUsername,
-        "redditUsername": user.redditUsername
+        "username":  escape(user.username),
+        "description": escape(user.description),
+        "forumUsername": escape(user.forumUsername),
+        "ircNick": escape(user.ircNick),
+        "twitterUsername": escape(user.twitterUsername),
+        "redditUsername": escape(user.redditUsername)
     }
 
 
 def mod_info(mod: Mod) -> Dict[str, Any]:
     return {
-        "name": mod.name,
+        "name": escape(mod.name),
         "id": mod.id,
         "game": mod.game.name,
         "game_id": mod.game_id,
-        "short_description": mod.short_description,
+        "short_description": escape(mod.short_description),
         "downloads": mod.download_count,
         "followers": mod.follower_count,
-        "author": mod.user.username,
+        "author": escape(mod.user.username),
         "default_version_id": mod.default_version.id,
         "shared_authors": list(),
-        "background": mod.background,
+        "background": mod.background_url(_cfg('protocol'), _cfg('cdn-domain')),
         "bg_offset_y": mod.bgOffsetY,
-        "license": mod.license,
-        "website": mod.external_link,
-        "donations": mod.donation_link,
-        "source_code": mod.source_link,
+        "license": escape(mod.license),
+        "website": escape(mod.external_link),
+        "donations": escape(mod.donation_link),
+        "source_code": escape(mod.source_link),
         "url": url_for("mods.mod", mod_id=mod.id, mod_name=mod.name)
     }
 
 
 def version_info(mod: Mod, version: ModVersion) -> Dict[str, Any]:
     return {
-        "friendly_version": version.friendly_version,
+        "friendly_version": escape(version.friendly_version),
         "game_version": version.gameversion.friendly_version,
         "id": version.id,
         "created": version.created,
         "download_path": url_for('mods.download', mod_id=mod.id,
                                  mod_name=mod.name,
                                  version=version.friendly_version),
-        "changelog": version.changelog,
+        "changelog": escape(version.changelog),
         "downloads": version.download_count,
     }