graphql: escape error messages for validation
The GraphQL error messages can contain user-supplied input (such as text input that was deemed invalid). However, the validation object's error messages are intended for display (i.e. HTML rendering). To assert that no user-supplied HTML is rendered, escape the GraphQL error messages as they get copied to the validation object. Thanks to Naglis Jonaitis for the report.
This commit is contained in:
parent
37f5c27cbf
commit
d7502248e0
|
@ -2,6 +2,7 @@ import json
|
|||
import requests
|
||||
from datetime import datetime
|
||||
from flask import request, has_request_context
|
||||
from markupsafe import escape
|
||||
from srht.config import get_origin, cfg
|
||||
from srht.crypto import encrypt_request_authorization
|
||||
|
||||
|
@ -119,4 +120,4 @@ def _copy_errors(valid, response):
|
|||
field = None
|
||||
if ext:
|
||||
field = ext.get("field")
|
||||
valid.error(msg, field=field)
|
||||
valid.error(escape(msg), field=field)
|
||||
|
|
Loading…
Reference in New Issue