From 4a77d4324b8f804fe381035079720d78dc1bca03 Mon Sep 17 00:00:00 2001
From: msaf1980 <msaf1980@gmail.com>
Date: Wed, 26 Oct 2022 11:54:00 +0500
Subject: [PATCH] sanitize error output for prevent XSS issues

---
 webapp/graphite/errors.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/webapp/graphite/errors.py b/webapp/graphite/errors.py
index 289541798..144946309 100644
--- a/webapp/graphite/errors.py
+++ b/webapp/graphite/errors.py
@@ -94,6 +94,15 @@ def __str__(self):
         return msg
 
 
+# Replace special characters "&", "<" and ">" to HTML-safe sequences.
+def escape(s):
+    s = s.replace("&", "&amp;")  # Must be done first!
+    s = s.replace("<", "&lt;")
+    s = s.replace(">", "&gt;")
+
+    return s
+
+
 # decorator which turns InputParameterExceptions into Django's HttpResponseBadRequest
 def handleInputParameterError(f):
     def new_f(*args, **kwargs):
@@ -102,6 +111,6 @@ def new_f(*args, **kwargs):
         except InputParameterError as e:
             msgStr = str(e)
             log.warning('%s', msgStr)
-            return HttpResponseBadRequest(msgStr)
+            return HttpResponseBadRequest(escape(msgStr))
 
     return new_f