Merge pull request #11 from ch-rigu/main

Fix for XSS vulnerability in the 'url' parameter in ombott/error_render.py when an error is rendered
valq7711 · Apr 13, 2024 · 75d5929 · 75d5929 · mdipierro · Apr 13, 2024
2 parents a7f64e7 + 4b930d7
commit 75d5929
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/ombott/error_render.py b/ombott/error_render.py
@@ -1,10 +1,12 @@
 from pathlib import Path
+import html as sanitize_html
 
 html = Path(__file__).parent / 'error.html'
 
 _html_lns = []
 
 def render(err_resp, url, debug):
+    clean_url = sanitize_html.escape(url)
     ex = traceback = '-] Forbidden [-'
     if debug:
         traceback = err_resp.traceback
@@ -17,7 +19,7 @@ def render(err_resp, url, debug):
         e = err_resp,
         exception = ex,
         traceback = traceback,
-        url = repr(url)
+        url = repr(clean_url)
     )
 
     if not _html_lns: