Closed dr3394 closed 1 week ago
@CSGY-9223-Group3/engineering & @CSGY-9223-Group3/security Bleach is deprecated, https://github.com/mozilla/bleach/issues/698. Please use a different HTML sanitization library such as https://github.com/matthiask/html-sanitizer/
Thank you @dr3394 for raising this important security concern, and @jjl9839 for the updated recommendation on the sanitization library.
We have addressed this issue by implementing input sanitization for both note creation and updates. Here are the changes we've made:
We've added the html-sanitizer
library as recommended, which is actively maintained and suitable for our needs.
We've updated both the create_note
and update_note
functions to sanitize user input before storing or updating note content.
The sanitization process helps prevent potential XSS attacks and other injection vulnerabilities by removing potentially harmful HTML elements and attributes while preserving safe content.
Here's a snippet of the implemented changes:
from html_sanitizer import Sanitizer
sanitizer = Sanitizer()
def create_note(note_id, user, data, is_public):
sanitized_data = sanitizer.sanitize(data)
notes[note_id] = {"text": sanitized_data, "author": user, "isPublic": is_public}
# ... rest of the function
def update_note(note_id, user, data):
if can_user_modify(user, note_id):
sanitized_data = sanitizer.sanitize(data)
notes[note_id]["text"] = sanitized_data
# ... rest of the function
Adjusted to make it a function:
def sanitize_input(data):
"""Sanitize user input to prevent XSS."""
return sanitizer.sanitize(data)
There is no input validation or sanitization when creating or updating a note (
create_note
,update_note
). This opens up the application to potential injection attacks, such as Cross-Site Scripting (XSS) or even command injection in the future.Use input validation and sanitization libraries to filter out or encode potentially harmful input. For Flask, libraries like
bleach
can be used to sanitize user input.