1.2 KiB
1.2 KiB
Issue #69: LOW - Jail Names Echoed in Error Messages Without Sanitization
Where found:
backend/app/exceptions.py:138,351– jail names interpolated directly into error strings
Why this is needed:
Although Python's repr() provides basic escaping, user-supplied jail names are reflected back in error messages. If these messages are ever rendered in an HTML context (e.g., a future admin UI or email notification), they become XSS vectors. They also act as confirmation oracles when combined with timing attacks.
Goal: Error messages referencing user input are sanitized before inclusion.
What to do:
- Pass user-supplied values through a dedicated
sanitize_for_display()helper before interpolation. - Ensure the helper strips or escapes HTML special characters.
- For API responses, always return the original (validated) field name rather than the raw user input.
Possible traps and issues:
- Over-escaping in JSON responses is not needed (JSON is not HTML); apply sanitization only at HTML render boundaries.
Docs changes needed:
CONTRIBUTING.md: document the rule that user input must not be echoed raw in messages.
Doc references:
backend/app/exceptions.py