From c21fa1fb77264c0a92653b064824ac3bce5086ce Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Mon, 30 Sep 2024 21:51:56 -0500 Subject: http-api: T6736: sanitize error message containing user input --- src/services/api/rest/models.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/services/api/rest/models.py') diff --git a/src/services/api/rest/models.py b/src/services/api/rest/models.py index d65d6e1ec..23ae9be9d 100644 --- a/src/services/api/rest/models.py +++ b/src/services/api/rest/models.py @@ -17,6 +17,7 @@ # pylint: disable=too-few-public-methods import json +from html import escape from enum import Enum from typing import List from typing import Union @@ -31,6 +32,7 @@ from fastapi.responses import HTMLResponse def error(code, msg): + msg = escape(msg, quote=False) resp = {'success': False, 'error': msg, 'data': None} resp = json.dumps(resp) return HTMLResponse(resp, status_code=code) -- cgit v1.2.3