summaryrefslogtreecommitdiff
path: root/src/services/api
diff options
context:
space:
mode:
authorJohn Estabrook <jestabro@vyos.io>2024-09-30 21:51:56 -0500
committerJohn Estabrook <jestabro@vyos.io>2024-10-03 09:14:34 -0500
commitc21fa1fb77264c0a92653b064824ac3bce5086ce (patch)
tree4c5f9ab3a6200eae3c4f0cff7a1266e36590f564 /src/services/api
parent7e23fd9da028b3c623b69fda8a6bcfd887f1c18c (diff)
downloadvyos-1x-c21fa1fb77264c0a92653b064824ac3bce5086ce.tar.gz
vyos-1x-c21fa1fb77264c0a92653b064824ac3bce5086ce.zip
http-api: T6736: sanitize error message containing user input
Diffstat (limited to 'src/services/api')
-rw-r--r--src/services/api/rest/models.py2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/services/api/rest/models.py b/src/services/api/rest/models.py
index d65d6e1ec..23ae9be9d 100644
--- a/src/services/api/rest/models.py
+++ b/src/services/api/rest/models.py
@@ -17,6 +17,7 @@
# pylint: disable=too-few-public-methods
import json
+from html import escape
from enum import Enum
from typing import List
from typing import Union
@@ -31,6 +32,7 @@ from fastapi.responses import HTMLResponse
def error(code, msg):
+ msg = escape(msg, quote=False)
resp = {'success': False, 'error': msg, 'data': None}
resp = json.dumps(resp)
return HTMLResponse(resp, status_code=code)