Update(fix): HTML Injection Stored - Chatbot form - Githubissues

gradio-app / gradio

Build and share delightful machine learning apps, all in Python. 🌟 Star to support our work!

http://www.gradio.app

Apache License 2.0

34.11k stars 2.59k forks source link

Update(fix): HTML Injection Stored - Chatbot form #9996

Closed lamcodeofpwnosec closed 3 days ago

lamcodeofpwnosec commented 3 days ago

Description

Fixed: HTML injection vulnerability

This PR fixes a vulnerability that allowed for HTML injection.
This vulnerability could have allowed attackers to inject malicious code into the application, potentially leading to security issues.
The fix involves properly sanitizing user input, preventing the injection of malicious HTML code.
This will improve the security of the application and protect users from potential attacks.

https://github.com/gradio-app/gradio/security/advisories/GHSA-w9m8-hjxw-j7j5

Testing and Formatting Your Code

PRs will only be merged if tests pass on CI. We recommend at least running the backend tests locally, please set up your Gradio environment locally and run the backed tests: bash scripts/run_backend_tests.sh
Please run these bash scripts to automatically format your code: bash scripts/format_backend.sh, and (if you made any changes to non-Python files) bash scripts/format_frontend.sh

abidlabs commented 3 days ago

Hi @lamcodeofpwnosec thanks for the contribution, but this PR contains lots of mistakes -- for example, it removes all the docstrings and introduces typos. I'm also not convinced that the issue it is addressing is a real issue, I'll comment on the advisory itself. Closing this PR for now