remove query string XSS from login token

This commit is contained in:
forest 2020-05-16 23:05:45 -05:00
parent e3a2e8eee4
commit 5c1a977a87
2 changed files with 6 additions and 0 deletions

View File

@ -71,6 +71,10 @@ def magiclink(token):
session["account"] = email
return redirect(url_for("console.index"))
else:
# this is here to prevent xss
if not re.match(r"^[a-zA-Z0-9_-]+$", token):
token = '___________'
abort(404, f"Token {token} doesn't exist or has already been used.")
@bp.route("/logout")

View File

@ -45,6 +45,8 @@ def double_check_capsul_address(id, ipv4):
def index():
vms = get_vms()
created = request.args.get('created')
# this is here to prevent xss
if not re.match(r"^(cvm|capsul)-[a-z0-9]{10}$", created):
created = '___________'