From ad161132303685d39d99d084ebeb23e014631c84 Mon Sep 17 00:00:00 2001 From: Drew DeVault Date: Mon, 20 Dec 2021 10:09:18 +0100 Subject: [PATCH] Escape names for build badges This *looks* like an XSS vulnerability, but shouldn't be, because we only show SVGs in tags which are protected from XSS even when served from the same domain. However, it's still wrong, so let's fix the bug. --- buildsrht/blueprints/jobs.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/buildsrht/blueprints/jobs.py b/buildsrht/blueprints/jobs.py index ea400c8..dd993a2 100644 --- a/buildsrht/blueprints/jobs.py +++ b/buildsrht/blueprints/jobs.py @@ -154,11 +154,11 @@ def svg_page(jobs): JobStatus.timeout])) .first()) if not job: - badge = badge_unknown.replace("__NAME__", name) + badge = badge_unknown.replace("__NAME__", escape(name)) elif job.status == JobStatus.success: - badge = badge_success.replace("__NAME__", name) + badge = badge_success.replace("__NAME__", escape(name)) else: - badge = badge_failure.replace("__NAME__", name) + badge = badge_failure.replace("__NAME__", escape(name)) return badge @jobs.route("/") -- 2.38.5