fix: enable Jinja2 autoescape and add large-file warnings (audit fixes)

AmmarYasser455 · web-flow · commit 5c5e4b698b23 · 2026-02-12T01:40:50.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,15 @@ All notable changes to GeoQA will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.1] - 2026-02-12
+
+### Fixed
+- **Security**: Enable Jinja2 autoescape in HTML report generation to prevent XSS when dataset names or attribute values contain HTML/script content. (GeoQA-002 from audit)
+- **UX**: Log a warning when loading files larger than 500 MB or datasets with more than 100,000 features, so users know to expect longer runtimes.
+
+### Added
+- 3 new tests: XSS prevention, special characters in dataset name, and large-file warning validation.
+
 ## [0.1.0] - 2026-02-11
 
 ### Added
diff --git a/geoqa/core.py b/geoqa/core.py
@@ -9,6 +9,7 @@
 
 from __future__ import annotations
 
+import logging
 from pathlib import Path
 from typing import Optional, Union
 
@@ -21,6 +22,8 @@
 from geoqa.spatial import SpatialAnalyzer
 from geoqa.visualization import MapVisualizer
 
+logger = logging.getLogger("geoqa")
+
 
 def profile(
     data: Union[str, Path, gpd.GeoDataFrame],
@@ -86,9 +89,24 @@ def __init__(
             self._source_path = Path(data)
             if not self._source_path.exists():
                 raise FileNotFoundError(f"File not found: {self._source_path}")
+
+            # Warn about large files before loading
+            file_size_mb = self._source_path.stat().st_size / 1e6
+            if file_size_mb > 500:
+                logger.warning(
+                    "Large file (%.0f MB) — loading may be slow " "and require significant memory",
+                    file_size_mb,
+                )
+
             self._gdf = gpd.read_file(str(self._source_path))
             self._name = name or self._source_path.stem
 
+            if len(self._gdf) > 100_000:
+                logger.warning(
+                    "Large dataset (%s features) — profiling may take " "several minutes",
+                    f"{len(self._gdf):,}",
+                )
+
         # Initialize analyzers
         self._geometry_checker = GeometryChecker(self._gdf)
         self._attribute_profiler = AttributeProfiler(self._gdf)
diff --git a/geoqa/report.py b/geoqa/report.py
@@ -12,7 +12,7 @@
 from pathlib import Path
 from typing import TYPE_CHECKING, Union
 
-import jinja2
+from jinja2 import Environment, select_autoescape
 
 if TYPE_CHECKING:
     from geoqa.core import GeoProfile
@@ -543,8 +543,14 @@ def generate(self, output_path: Union[str, Path] = "geoqa_report.html") -> Path:
         # CRS info
         crs_info = {k: v for k, v in self._profile.spatial_results.items() if k.startswith("crs_")}
 
-        # Render template
-        template = jinja2.Template(REPORT_TEMPLATE)
+        # Render template with autoescape enabled to prevent XSS
+        env = Environment(
+            autoescape=select_autoescape(
+                enabled_extensions=("html", "htm", "xml"),
+                default_for_string=True,
+            ),
+        )
+        template = env.from_string(REPORT_TEMPLATE)
         html = template.render(
             name=self._profile.name,
             features=self._profile.feature_count,
diff --git a/tests/test_core.py b/tests/test_core.py
@@ -167,3 +167,22 @@ def test_point_geometry(self, sample_points_gdf):
         gp = GeoProfile(sample_points_gdf)
         assert gp.geometry_type == "Point"
         assert gp.feature_count == 4
+
+    def test_large_file_warning(self, tmp_path, caplog):
+        """Test that loading a very large file emits a warning.
+
+        We can't create a 500 MB file in tests, so instead we verify
+        the warning path by checking a small file does NOT emit the warning.
+        """
+        import logging
+        from shapely.geometry import Point
+
+        gdf = gpd.GeoDataFrame({"v": [1]}, geometry=[Point(0, 0)], crs="EPSG:4326")
+        path = tmp_path / "small.geojson"
+        gdf.to_file(path, driver="GeoJSON")
+
+        with caplog.at_level(logging.WARNING, logger="geoqa"):
+            gp = GeoProfile(str(path))
+
+        # Small file → no "Large file" warning
+        assert not any("Large file" in r.message for r in caplog.records)
diff --git a/tests/test_report.py b/tests/test_report.py
@@ -62,3 +62,26 @@ def test_report_quality_score_display(self, sample_polygons_gdf, tmp_path):
         gp.to_html(output)
         content = output.read_text(encoding="utf-8")
         assert "/100" in content
+
+    def test_report_xss_prevention(self, sample_polygons_gdf, tmp_path):
+        """Test that HTML/script in dataset name is escaped, not injected."""
+        xss_name = '<script>alert("xss")</script>'
+        gp = GeoProfile(sample_polygons_gdf, name=xss_name)
+        output = tmp_path / "xss_report.html"
+        gp.to_html(output)
+        content = output.read_text(encoding="utf-8")
+        # The raw <script> tag must NOT appear in the output
+        assert "<script>alert" not in content
+        # The escaped version should be present instead
+        assert "&lt;script&gt;" in content
+
+    def test_report_special_chars_in_name(self, sample_polygons_gdf, tmp_path):
+        """Test that special characters in dataset name don't break the report."""
+        gp = GeoProfile(sample_polygons_gdf, name='Test & "Quotes" <Angles>')
+        output = tmp_path / "special_report.html"
+        result = gp.to_html(output)
+        assert result.exists()
+        content = result.read_text(encoding="utf-8")
+        # Ampersand and angle brackets should be escaped
+        assert "&amp;" in content
+        assert "&lt;Angles&gt;" in content
