Fix Cross Site Scripting Issue (#497)

2025-04-19 00:45:22 +00:00 · 2025-03-28 00:22:18 +03:00 · 2025-03-28 00:22:18 +03:00 · 87ebbf0f08
commit 87ebbf0f08
parent 8bdad48823
1 changed files with 4 additions and 2 deletions
--- a/src/akkudoktoreos/server/rest/error.py
+++ b/src/akkudoktoreos/server/rest/error.py
@ -1,3 +1,5 @@
+import html
+
 ERROR_PAGE_TEMPLATE = """
 <!DOCTYPE html>
 <html lang="en">
@ -86,6 +88,6 @@ def create_error_page(
    return (
        ERROR_PAGE_TEMPLATE.replace("STATUS_CODE", status_code)
        .replace("ERROR_TITLE", error_title)
-        .replace("ERROR_MESSAGE", error_message)
-        .replace("ERROR_DETAILS", error_details)
+        .replace("ERROR_MESSAGE", html.escape(error_message))
+        .replace("ERROR_DETAILS", html.escape(error_details))
    )