Prevent Cross Site Scripting (XSS)

Closed this issue 2 years ago · 1 comments

Wouterkoorn commented 2 years ago

All file contents are placed in the HTML without anything preventing XSS.
Simple example: https://inspector.pypi.io/project/inspector-test-package/0.0.0/packages/71/9a/24c8c3286a09bd3f82e17723562493128c6dc89e8fe177b3697bd31bb524/inspector-test-package-0.0.0.tar.gz/inspector-test-package-0.0.0/inspector-test-package/__init__.py

di commented 2 years ago

+1. I defaulted to passing everything through |safe just to get this up and running, but this should be prevented/preventable.