From 604afbeb9a971c3905bfc1c92851576d9f19e19a Mon Sep 17 00:00:00 2001
From: Nyx <me@everypizza.im>
Date: Sat, 22 Mar 2025 11:47:56 -0500
Subject: [PATCH] fix small javascript injection attack

---
 requirements.txt | 3 ++-
 utils/app.py     | 8 ++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 8ab6294..70e2e57 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1,2 @@
-flask
\ No newline at end of file
+flask
+bleach
\ No newline at end of file
diff --git a/utils/app.py b/utils/app.py
index bde4f46..84fd0a2 100644
--- a/utils/app.py
+++ b/utils/app.py
@@ -1,7 +1,14 @@
 from flask import request, redirect, session, render_template, send_from_directory, Flask, url_for
+import bleach
 
 import generate
 
+def sanitize_html(html):
+    # Allow only a limited set of tags and attributes
+    allowed_tags = ['a', 'b', 'i', 'em', 'strong']
+    allowed_attributes = {'a': ['href']}
+    return bleach.clean(html, tags=allowed_tags, attributes=allowed_attributes)
+
 app = Flask(__name__)
 
 @app.route('/', methods=['GET', 'POST'])
@@ -15,6 +22,7 @@ def index():
 @app.route('/result')
 def result():
     ip = request.args.get('ip')
+    ip = sanitize_html(ip)
     return render_template('result.j2', result=ip)
 
 @app.route('/assets/style.css')