Skip to content
Browse files
Resolve XSS vulnerability in local Wordnet browser (#3096)
By setting the Content-type to text/plain when an unknown path is used.
  • Loading branch information
tomaarsen committed Dec 28, 2022
1 parent 2e11807 commit c8cedf1
Showing 1 changed file with 7 additions and 3 deletions.
@@ -127,7 +127,12 @@ def do_GET(self):
# Handle files here.
word = sp
page = get_static_page_by_path(usp)
page = get_static_page_by_path(usp)
except FileNotFoundError:
page = "Internal error: Path for static page '%s' is unknown" % usp
# Set type to plain to prevent XSS by printing the path as HTML
type = "text/plain"
elif sp.startswith("search"):
# This doesn't seem to work with MWEs.
type = "text/html"
@@ -816,8 +821,7 @@ def get_static_page_by_path(path):
return get_static_web_help_page()
elif path == "wx_help.html":
return get_static_wx_help_page()
return "Internal error: Path for static page '%s' is unknown" % path
raise FileNotFoundError()

def get_static_web_help_page():

0 comments on commit c8cedf1

Please sign in to comment.