remove query string XSS from login token

capsulflask/auth.py

@@ -71,6 +71,10 @@ def magiclink(token):
         session["account"] = email
         return redirect(url_for("console.index"))
     else:
+        # this is here to prevent xss
+        if not re.match(r"^[a-zA-Z0-9_-]+$", token):
+          token = '___________'
+
         abort(404, f"Token {token} doesn't exist or has already been used.")
 
 @bp.route("/logout")

capsulflask/console.py

@@ -45,6 +45,8 @@ def double_check_capsul_address(id, ipv4):
 def index():
   vms = get_vms()
   created = request.args.get('created')
+  
+  # this is here to prevent xss
   if not re.match(r"^(cvm|capsul)-[a-z0-9]{10}$", created):
     created = '___________'