ITQC/pydase
24
0
Fork 0
mirror of https://github.com/tiqi-group/pydase.git synced 2025-05-05 06:50:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

escape the user input before including it in the HTML response

Browse Source
This commit is contained in:
Mose Müller 2024-10-03 11:04:47 +02:00
parent 1270400e95
commit 5403b51a5b
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/pydase/server/web_server/web_server.py
View File

@ -1,4 +1,5 @@
import asyncio import asyncio
import html
import json import json
import logging import logging
from pathlib import Path from pathlib import Path
@ -107,20 +108,23 @@ class WebServer:
forwarded_prefix = request.headers.get("X-Forwarded-Prefix", "") forwarded_prefix = request.headers.get("X-Forwarded-Prefix", "")
if forwarded_prefix != "": if forwarded_prefix != "":
# Escape the forwarded prefix to prevent XSS
escaped_prefix = html.escape(forwarded_prefix)
# Read the index.html file # Read the index.html file
index_file_path = self.frontend_src / "index.html" index_file_path = self.frontend_src / "index.html"
async with await anyio.open_file(index_file_path) as f: async with await anyio.open_file(index_file_path) as f:
html_content = await f.read() html_content = await f.read()
# Inject the forwarded prefix into the HTML # Inject the escaped forwarded prefix into the HTML
modified_html = html_content.replace( modified_html = html_content.replace(
'window.__FORWARDED_PREFIX__ = "";', 'window.__FORWARDED_PREFIX__ = "";',
f'window.__FORWARDED_PREFIX__ = "{forwarded_prefix}";', f'window.__FORWARDED_PREFIX__ = "{escaped_prefix}";',
) )
modified_html = modified_html.replace( modified_html = modified_html.replace(
"/assets/", "/assets/",
f"{forwarded_prefix}/assets/", f"{escaped_prefix}/assets/",
) )
return aiohttp.web.Response( return aiohttp.web.Response(