Merge pull request from GHSA-9m4m-6gqx-gfj3

SECURITY PATCH: prevent XSS by cleaning html code
Linbreux · Sep 4, 2022 · 259412c · 259412c
2 parents 2640ada + 0539096
commit 259412c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/requirements.txt b/requirements.txt
@@ -19,3 +19,4 @@ requests==2.27.1
 smmap==3.0.4
 Werkzeug==1.0.1
 idna==3.3
+lxml==4.9.1
diff --git a/wiki.py b/wiki.py
@@ -4,6 +4,7 @@
 import re
 import logging
 import uuid
+from lxml.html.clean import clean_html
 import pypandoc
 import knowledge_graph
 import random
@@ -186,7 +187,7 @@ def file_page(file_page):
                 app.logger.info(f"Converting to HTML with pandoc >>> '{md_file_path}' ...")
                 html = pypandoc.convert_file(md_file_path, "html5",
                                              format='md', extra_args=["--mathjax"], filters=['pandoc-xnos'])
-
+                html = clean_html(html)
                 mod = "Last modified: %s" % time.ctime(os.path.getmtime(md_file_path))
                 folder = file_page.split("/")
                 file_page = folder[-1:][0]
@@ -212,6 +213,7 @@ def index():
             html = pypandoc.convert_file(
                 os.path.join(cfg.wiki_directory, cfg.homepage), "html5", format='md', extra_args=["--mathjax"],
                 filters=['pandoc-xnos'])
+            html = clean_html(html)
 
         except Exception as e:
             app.logger.error(f"Conversion to HTML failed >>> {str(e)}")