Prevent arbitrary code execution exploits.

2020-11-06 23:41:42 +01:00 · 2020-11-06 23:41:42 +01:00 · 641d236aa9
commit 641d236aa9
parent 89f1e6e62c
1 changed files with 6 additions and 0 deletions
--- a/cara/apps/calculator/model_generator.py
+++ b/cara/apps/calculator/model_generator.py
@ -1,5 +1,6 @@
 from cara.models import Model
 from dataclasses import dataclass
+import html
 import typing

 from cara import models
@ -67,6 +68,11 @@ class FormData:
            if form_data[key] not in valid_set:
                raise ValueError(f"{form_data[key]} is not a valid value for {key}")

+        # Don't let arbirtrary unescaped HTML through the net.
+        for key, value in form_data.items():
+            if isinstance(value, str):
+                form_data[key] = html.escape(value)
+
        # TODO: This fixup is a problem with the form.html.
        for key, value in form_data.items():
            if value == "":