Closed vembacher closed 3 years ago
Currently, the input from forms can include JavaScript that is not escaped in order to prevent its execution.
For instance, it was possible to upload a program with the description:
<script>alert('xss');</script>
The code in the script tag is then executed. The same issue applies to many other fields.
I added some sanitation. The sanitation consists of using a slightly modified version of html.escape from the python 3.9 standard library.
html.escape
The sanitation is applied when creating/updating data in the database with user provided input.
Thanks for your contribution! I believe this should fix CVE-2021-3351 for everyone that is tracking it.
Issue
Currently, the input from forms can include JavaScript that is not escaped in order to prevent its execution.
For instance, it was possible to upload a program with the description:
The code in the script tag is then executed. The same issue applies to many other fields.
Solution
I added some sanitation. The sanitation consists of using a slightly modified version of
html.escape
from the python 3.9 standard library.The sanitation is applied when creating/updating data in the database with user provided input.