sourcehut
/
core.sr.ht
mirror of https://git.sr.ht/~sircmpwn/core.sr.ht
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

validation: always escape error messages 

The validation object's error messages are intended for display (i.e.
HTML rendering). To assert that no user-supplied HTML is ever rendered,
escape the error messages as they are passed in.

Thanks to Naglis Jonaitis for the report.
This commit is contained in:
Conrad Hoffmann 2024-01-24 13:16:36 +01:00 committed by Drew DeVault
parent d7502248e0
commit b663dbe7cf
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
srht/validation.py
View File

@ -1,4 +1,4 @@
from markupsafe import Markup
from markupsafe import escape, Markup
from urllib import parse
from enum import Enum, IntEnum
import json
@ -6,7 +6,7 @@ import json
class ValidationError:
def __init__(self, field, message):
self.field = field
self.message = message
self.message = escape(message)
def json(self):
j = dict()