Sanitize error output for prevent XSS security issues

graphite-project / graphite-web

A highly scalable real-time graphing system

http://graphite.readthedocs.org/

Apache License 2.0

5.88k stars 1.26k forks source link

Sanitize error output for prevent XSS security issues #2782

Closed msaf1980 closed 1 year ago

deniszh commented 1 year ago

Hi @msaf1980 Thanks for your patch! maybe you know, do we have issue for that xss? or it's new?

msaf1980 commented 1 year ago

Hi @msaf1980 Thanks for your patch! maybe you know, do we have issue for that xss? or it's new?

As I think, It's fix all XSS raised from all Django requests handlers annotated with @handleInputParameterError (if exception is InputParameterError) Work with https://github.com/graphite-project/graphite-web/issues/2779 And PR has tests for /metrics/find for check that this work.

deniszh commented 1 year ago

Yes, looks like majority of issues. Nice fix! Will merge and check opened xss tickets against it.

deniszh commented 1 year ago

💚 All backports created successfully

Status	Branch	Result
✅	1.1.x

Questions ?

Please refer to the Backport tool documentation