initial hardening

FoamyGuy · FoamyGuy · commit 48dca560694c · 2023-07-30T11:06:37.000-05:00
diff --git a/adafruit_httpserver/request.py b/adafruit_httpserver/request.py
@@ -33,9 +33,33 @@ def _add_field_value(self, field_name: str, value: Union[str, bytes]) -> None:
         else:
             self._storage[field_name].append(value)
 
-    def get(self, field_name: str, default: Any = None) -> Union[str, bytes, None]:
+    def _html_output_encode(self, value):
+        return (
+            str(value)
+            .replace("&", "&amp;")
+            .replace("<", "&lt;")
+            .replace(">", "&gt;")
+            .replace('"', "&quot;")
+            .replace("'", "&#x27;")
+        )
+
+    def _debug_warning_nonencoded_output(self):
+        """Warns about exposing all files on the device."""
+        print(
+            f"WARNING: Setting html_output_encode to False will make XSS vulnerabilities possible by "
+            "allowing access to raw untrusted values submitted by users. If this data is reflected "
+            "or shown within HTML without proper encoding it could enable Cross-Site Scripting attacks."
+        )
+
+    def get(
+        self, field_name: str, default: Any = None, html_output_encode=True
+    ) -> Union[str, bytes, None]:
         """Get the value of a field."""
-        return self._storage.get(field_name, [default])[0]
+        if html_output_encode:
+            return self._html_output_encode(self._storage.get(field_name, [default])[0])
+        else:
+            self._debug_warning_nonencoded_output()
+            return self._storage.get(field_name, [default])[0]
 
     def get_list(self, field_name: str) -> List[Union[str, bytes]]:
         """Get the list of values of a field."""
