Fix XSS issue (#1809)

Ace Nassri · web-flow · commit 56244a80d154 · 2018-11-08T13:46:19.000-08:00
diff --git a/functions/helloworld/main.py b/functions/helloworld/main.py
@@ -14,6 +14,13 @@
 
 import sys
 
+# [START functions_helloworld_http]
+# [START functions_http_content]
+from flask import escape
+
+# [END functions_helloworld_http]
+# [END functions_http_content]
+
 
 # [START functions_tips_terminate]
 # [START functions_helloworld_get]
@@ -61,7 +68,7 @@ def hello_http(request):
     """
     request_json = request.get_json()
     if request_json and 'name' in request_json:
-        name = request_json['name']
+        name = escape(request_json['name'])
     else:
         name = 'World'
     return 'Hello, {}!'.format(name)
@@ -121,7 +128,7 @@ def hello_content(request):
         name = request.form.get('name')
     else:
         raise ValueError("Unknown content type: {}".format(content_type))
-    return 'Hello, {}!'.format(name)
+    return 'Hello, {}!'.format(escape(name))
 # [END functions_http_content]
 
 
diff --git a/functions/helloworld/main_test.py b/functions/helloworld/main_test.py
@@ -42,6 +42,12 @@ def test_hello_http_args(app):
         assert 'Hello, test!' in res
 
 
+def test_hello_http_xss(app):
+    with app.test_request_context(json={'name': '<script>alert(1)</script>'}):
+        res = main.hello_http(flask.request)
+        assert '<script>' not in res
+
+
 def test_hello_content_json(app):
     with app.test_request_context(json={'name': 'test'}):
         res = main.hello_content(flask.request)
@@ -56,6 +62,12 @@ def test_hello_content_urlencoded(app):
         assert 'Hello, test!' in res
 
 
+def test_hello_content_xss(app):
+    with app.test_request_context(json={'name': '<script>alert(1)</script>'}):
+        res = main.hello_content(flask.request)
+        assert '<script>' not in res
+
+
 def test_hello_method(app):
     with app.test_request_context(method='GET'):
         res = main.hello_method(flask.request)
