lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
58173bd6a93450c9e33957f0fe8aad32187d712f
BanGUI/Docs/Tasks.md
Lukas 58173bd6a9 backup
2026-05-04 07:20:16 +02:00

24 lines
1.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
### Issue #69: LOW - Jail Names Echoed in Error Messages Without Sanitization
**Where found**:
- `backend/app/exceptions.py:138,351` jail names interpolated directly into error strings
**Why this is needed**:
Although Python's `repr()` provides basic escaping, user-supplied jail names are reflected back in error messages. If these messages are ever rendered in an HTML context (e.g., a future admin UI or email notification), they become XSS vectors. They also act as confirmation oracles when combined with timing attacks.
**Goal**:
Error messages referencing user input are sanitized before inclusion.
**What to do**:
1. Pass user-supplied values through a dedicated `sanitize_for_display()` helper before interpolation.
2. Ensure the helper strips or escapes HTML special characters.
3. For API responses, always return the original (validated) field name rather than the raw user input.
**Possible traps and issues**:
- Over-escaping in JSON responses is not needed (JSON is not HTML); apply sanitization only at HTML render boundaries.
**Docs changes needed**:
- `CONTRIBUTING.md`: document the rule that user input must not be echoed raw in messages.
**Doc references**:
- `backend/app/exceptions.py`
Reference in New Issue View Git Blame Copy Permalink