From 3c039efcd964167802b27c9f3fb5f2f12603d416 Mon Sep 17 00:00:00 2001 From: Anthony Donlon Date: Sat, 22 Nov 2025 00:58:57 +0800 Subject: [PATCH] editor/server: escape user provided link if insecure --- editor/server/share.py | 3 ++- editor/server/utils.py | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/editor/server/share.py b/editor/server/share.py index 028d2af..dd3d5f1 100644 --- a/editor/server/share.py +++ b/editor/server/share.py @@ -24,7 +24,7 @@ from . import ( models ) -from .utils import fill_cf_template_params +from .utils import fill_cf_template_params, sanitize_page_param_links # root_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '../../') # examples_dir = os.path.join(root_dir, 'examples') @@ -120,6 +120,7 @@ def get(name: str): params['what_can_i_do'] = html.escape(params.get('what_can_i_do', '')) fill_cf_template_params(params) fill_template_params(params) + sanitize_page_param_links(params) return template.render(base=cf_template, params=params, diff --git a/editor/server/utils.py b/editor/server/utils.py index fc9f2ec..78f313c 100644 --- a/editor/server/utils.py +++ b/editor/server/utils.py @@ -48,3 +48,26 @@ def fill_cf_template_params(params: dict): if not client_ip: client_ip = request.remote_addr params['client_ip'] = client_ip + + +def sanitize_user_link(link: str): + link = link.strip() + link_lower = link + if link_lower.startswith('http://') or link_lower.startswith('https://'): + return link + if '.' in link or '/' in link: + return 'https://' + link + return '#' + link + + +def sanitize_page_param_links(param: dict): + more_info = param.get('more_information') + if more_info: + link = more_info.get('link') + if link: + more_info['link'] = sanitize_user_link(link) + perf_sec_by = param.get('perf_sec_by') + if perf_sec_by: + link = perf_sec_by.get('link') + if link: + perf_sec_by['link'] = sanitize_user_link(link)