Merge pull request #16 from mozilla-it/rmuller/fix-xss

[PATCH] fix: correct escaping of api responses
mozilla-it · Nov 20, 2023 · d3b7d96 · d3b7d96
2 parents 570c6f6 + c11fe22
commit d3b7d96
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/dpaste/views.py b/dpaste/views.py
@@ -13,6 +13,7 @@
 from django.shortcuts import get_object_or_404, render
 from django.urls import reverse
 from django.utils import timezone
+from django.utils.html import escape
 from django.utils.cache import add_never_cache_headers, patch_cache_control
 from django.utils.http import http_date
 from django.utils.translation import ugettext
@@ -304,8 +305,7 @@ def post(self, request, *args, **kwargs):
         # A lexer is given, check if its valid at all
         if lexer and lexer not in highlight.LEXER_KEYS:
             return HttpResponseBadRequest(
-                'Invalid lexer "%s" given. Valid lexers are: %s'
-                % (lexer, ", ".join(highlight.LEXER_KEYS))
+                f'Invalid lexer choice "{escape(lexer)}" given. Valid lexer values are: {", ".join(highlight.LEXER_KEYS)}'
             )
 
         # No lexer is given, but we have a filename, try to get the lexer
@@ -322,9 +322,7 @@ def post(self, request, *args, **kwargs):
             expire_options = [str(i) for i in dict(config.EXPIRE_CHOICES)]
             if expires not in expire_options:
                 return HttpResponseBadRequest(
-                    'Invalid expire choice "{}" given. Valid values are: {}'.format(
-                        expires, ", ".join(expire_options)
-                    )
+                    f'Invalid expire choice "{escape(expires)}" given. Valid expire values are: {", ".join(expire_options)}'
                 )
             expires, expire_type = get_expire_values(expires)
         else: