sourcehut
/
core.sr.ht
mirror of https://git.sr.ht/~sircmpwn/core.sr.ht
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

graphql: escape error messages for validation 

The GraphQL error messages can contain user-supplied input (such as text
input that was deemed invalid). However, the validation object's error
messages are intended for display (i.e. HTML rendering). To assert that
no user-supplied HTML is rendered, escape the GraphQL error messages as
they get copied to the validation object.

Thanks to Naglis Jonaitis for the report.
This commit is contained in:
Conrad Hoffmann 2024-01-24 13:03:31 +01:00 committed by Drew DeVault
parent 37f5c27cbf
commit d7502248e0
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
srht/graphql/client.py
View File

@ -2,6 +2,7 @@ import json
import requests
from datetime import datetime
from flask import request, has_request_context
from markupsafe import escape
from srht.config import get_origin, cfg
from srht.crypto import encrypt_request_authorization
@ -119,4 +120,4 @@ def _copy_errors(valid, response):
field = None
if ext:
field = ext.get("field")
valid.error(msg, field=field)
valid.error(escape(msg), field=field)