self xss in every page

Question

self xss in every page

wxcafe opened this issue 5 years ago · 3 comments

wxcafe commented 5 years ago

here

works on the input field, doesn't matter which dropdown menu option is selected

Answer 1 · 2020-06-14T16:46:51.000Z

I really think that a good chunk of the code should be re-written from scratch...

In the meantime, any suggestion on how to fix this?

Answer 2 · 2020-06-14T19:10:47.000Z

I would imagine that a fix would be to not dump the search string directly into the page but I don't really know how to do that while following web dev best practices

Answer 3 · 2021-01-04T09:05:08.000Z

Maybe the simplest way is to use html.escape before sending the data to the browser:

>>> html.escape("2001:db8::")
'2001:db8::'
>>> html.escape("2001:db8::/48")
'2001:db8::/48'
>>> html.escape("192.0.2.0/24")
'192.0.2.0/24'
>>> html.escape("<attack>2001:db8::/48")
'&lt;attack&gt;2001:db8::/48'