fix small javascript injection attack
This commit is contained in:
parent
406effb17f
commit
604afbeb9a
2 changed files with 10 additions and 1 deletions
|
|
@ -1 +1,2 @@
|
||||||
flask
|
flask
|
||||||
|
bleach
|
||||||
|
|
@ -1,7 +1,14 @@
|
||||||
from flask import request, redirect, session, render_template, send_from_directory, Flask, url_for
|
from flask import request, redirect, session, render_template, send_from_directory, Flask, url_for
|
||||||
|
import bleach
|
||||||
|
|
||||||
import generate
|
import generate
|
||||||
|
|
||||||
|
def sanitize_html(html):
|
||||||
|
# Allow only a limited set of tags and attributes
|
||||||
|
allowed_tags = ['a', 'b', 'i', 'em', 'strong']
|
||||||
|
allowed_attributes = {'a': ['href']}
|
||||||
|
return bleach.clean(html, tags=allowed_tags, attributes=allowed_attributes)
|
||||||
|
|
||||||
app = Flask(__name__)
|
app = Flask(__name__)
|
||||||
|
|
||||||
@app.route('/', methods=['GET', 'POST'])
|
@app.route('/', methods=['GET', 'POST'])
|
||||||
|
|
@ -15,6 +22,7 @@ def index():
|
||||||
@app.route('/result')
|
@app.route('/result')
|
||||||
def result():
|
def result():
|
||||||
ip = request.args.get('ip')
|
ip = request.args.get('ip')
|
||||||
|
ip = sanitize_html(ip)
|
||||||
return render_template('result.j2', result=ip)
|
return render_template('result.j2', result=ip)
|
||||||
|
|
||||||
@app.route('/assets/style.css')
|
@app.route('/assets/style.css')
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue