From 5403b51a5b1e7b303a0cf6711a4a63237bc25b8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mose=20M=C3=BCller?= Date: Thu, 3 Oct 2024 11:04:47 +0200 Subject: [PATCH] escape the user input before including it in the HTML response --- src/pydase/server/web_server/web_server.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/pydase/server/web_server/web_server.py b/src/pydase/server/web_server/web_server.py index 1f9ba8e..3e3b75b 100644 --- a/src/pydase/server/web_server/web_server.py +++ b/src/pydase/server/web_server/web_server.py @@ -1,4 +1,5 @@ import asyncio +import html import json import logging from pathlib import Path @@ -107,20 +108,23 @@ class WebServer: forwarded_prefix = request.headers.get("X-Forwarded-Prefix", "") if forwarded_prefix != "": + # Escape the forwarded prefix to prevent XSS + escaped_prefix = html.escape(forwarded_prefix) + # Read the index.html file index_file_path = self.frontend_src / "index.html" async with await anyio.open_file(index_file_path) as f: html_content = await f.read() - # Inject the forwarded prefix into the HTML + # Inject the escaped forwarded prefix into the HTML modified_html = html_content.replace( 'window.__FORWARDED_PREFIX__ = "";', - f'window.__FORWARDED_PREFIX__ = "{forwarded_prefix}";', + f'window.__FORWARDED_PREFIX__ = "{escaped_prefix}";', ) modified_html = modified_html.replace( "/assets/", - f"{forwarded_prefix}/assets/", + f"{escaped_prefix}/assets/", ) return aiohttp.web.Response(