Description
The application does not sanitize the user input when updating the details of a firmware. When updating the firmware details, the applications posts the data to the "upload-analysis/[uid]" page. That page then runs the function "_get_meta_from_request()" within the /src/helperFunctions/mongo_task_conversion.py script. I tested the "tags" and "version" fields by adding JavaScript to the updated fields (it looks like other fields are possibly vulnerable too). This data is not sanitized and is stored in the application. Each time a page is requested with this information, the JavaScript is ran. I added some screenshots to help. Using the "escape" function within flask could be a solution to sanitize the input. I tested it against the version field and it worked. Let me know if there are any additional questions.

Adding js to the tags field

When browsing to the home page it loads the js

js is executed

Used the escape function to sanitize the input
