Sanitize server response to UI code, using cgi.escape #1140
Conversation
| Read object, escape all dangerous values and return as json | ||
| ''' | ||
| #First generate json, using nipap encoding library | ||
| # We can't sanitize passed value since html_sanitize works on primitive values |
There was a problem hiding this comment.
line too long (82 > 79 characters)
| ''' | ||
| Read object, escape all dangerous values and return as json | ||
| ''' | ||
| #First generate json, using nipap encoding library |
There was a problem hiding this comment.
block comment should start with '# '
| value = cgi.escape(value, quote=True) | ||
| return value | ||
|
|
||
| def html_sanitize_json(value): |
|
|
||
| def html_sanitize(value): | ||
| if isinstance(value, dict): | ||
| value = {html_sanitize(k):html_sanitize(v) for k, v in value.iteritems()} |
There was a problem hiding this comment.
missing whitespace after ':'
line too long (81 > 79 characters)
|
|
||
| import cgi | ||
|
|
||
| def html_sanitize(value): |
|
|
||
| log = logging.getLogger(__name__) | ||
|
|
||
| import cgi |
There was a problem hiding this comment.
module level import not at top of file
| def html_sanitize(value): | ||
| if isinstance(value, dict): | ||
| value = {html_sanitize(k): html_sanitize(v) for | ||
| k, v in value.iteritems()} |
There was a problem hiding this comment.
continuation line under-indented for visual indent
|
To give example of existing XSS, and to verify this solves it: go back to main page, http://nipap-demo.spritelink.net/; there should be popup with XSS words. after this fix, this will not be possible, I think :) |
Jinja is already doing most of sanitization, but since % raw syntax is used at few places, this sanitization still helps with preventing XSS attack. `
|
Hey guys, any thoughts on this change? |
2 participants
Jinja is already doing most of sanitization, but since % raw syntax is used at few places, this sanitization still helps with preventing XSS attack.
Helps with solving #937
`