Fix XSS vulnerability by escaping comments

airbnb · Jun 3, 2020 · f026ad2 · f026ad2
1 parent d1874d3
commit f026ad2
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/knowledge_repo/app/routes/comment.py b/knowledge_repo/app/routes/comment.py
@@ -6,7 +6,7 @@
   - /delete_comment
 """
 import logging
-from flask import request, Blueprint, g
+from flask import request, Blueprint, g, escape
 
 from .. import permissions
 from ..proxies import db_session, current_user
@@ -43,8 +43,7 @@ def post_comment():
                              .first())
     else:
         comment = Comment(post_id=post.id)
-
-    comment.text = data['text']
+    comment.text = escape(data['text'])
     comment.user_id = current_user.id
     db_session.add(comment)
     db_session.commit()