Skip to content

🔒 fix(security): use stdlib html.escape() for complete XSS protection#75

Merged
advaitpatel merged 2 commits into
OWASP:mainfrom
jacksong2049-prog:main
May 13, 2026
Merged

🔒 fix(security): use stdlib html.escape() for complete XSS protection#75
advaitpatel merged 2 commits into
OWASP:mainfrom
jacksong2049-prog:main

Conversation

@jacksong2049-prog
Copy link
Copy Markdown
Contributor

@jacksong2049-prog jacksong2049-prog commented May 11, 2026

🔒 Security Fix — Closes #48

Problem

Both docker_scanner.py and report_generator.py used a hand-rolled HTML escape table that only handled 5 characters (& < > " '), creating a potential XSS vector.

Fix

Replaced with Python's built-in html.escape(text, quote=True) which handles all HTML5 special characters per the standard library implementation.

Changed files

  • docksec/docker_scanner.py
  • docksec/report_generator.py

Before

html_escape_table = {
    "&": "&amp;", '"': "&quot;", ...
}
return "".join(html_escape_table.get(c, c) for c in str(text))

After

import html
return html.escape(str(text), quote=True)

@jacksong2049-prog
fix(security): use stdlib html.escape() for XSS protection
6b92cef 
Replace hand-rolled escape table with html.escape(text, quote=True)
for complete HTML5 entity handling.

Part of OWASP#48
@jacksong2049-prog
fix(security): use stdlib html.escape() for XSS protection
a15bb67 
Replace hand-rolled escape table with html.escape(text, quote=True)
for complete HTML5 entity handling.

Part of OWASP#48
advaitpatel
advaitpatel approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@advaitpatel advaitpatel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me, thank you for your contributions!

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 13, 2026

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

@advaitpatel advaitpatel merged commit e0f3f6b into OWASP:main May 13, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@advaitpatel advaitpatel advaitpatel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Replace custom HTML escape table with stdlib html.escape() in report generation

3 participants

@jacksong2049-prog @codecov-commenter @advaitpatel