sanitize error output for prevent XSS issues

webapp/graphite/errors.py

@@ -94,6 +94,15 @@ def __str__(self):
         return msg
 
 
+# Replace special characters "&", "<" and ">" to HTML-safe sequences.
+def escape(s):
+    s = s.replace("&", "&amp;")  # Must be done first!
+    s = s.replace("<", "&lt;")
+    s = s.replace(">", "&gt;")
+
+    return s
+
+
 # decorator which turns InputParameterExceptions into Django's HttpResponseBadRequest
 def handleInputParameterError(f):
     def new_f(*args, **kwargs):
@@ -102,6 +111,6 @@ def new_f(*args, **kwargs):
         except InputParameterError as e:
             msgStr = str(e)
             log.warning('%s', msgStr)
-            return HttpResponseBadRequest(msgStr)
+            return HttpResponseBadRequest(escape(msgStr))
 
     return new_f