Escape input in bold_md filter before wrapping in Markup (stored XSS) #6

Open
opened 2026-06-06 19:58:10 +00:00 by tonym · 0 comments

Severity: high
Category: security
Location: app.py:43-47

Problem

bold_md regex-substitutes then wraps in Markup(), disabling auto-escaping. Inputs include category names sourced from imported CSV/PDF, so <script> in that data would render unescaped.

Suggested fix

Escape first: re.sub(r'\*\*(.+?)\*\*', r'<strong>\1</strong>', str(markupsafe.escape(text))).

Filed by automated code review.

**Severity:** high **Category:** security **Location:** `app.py:43-47` ### Problem `bold_md` regex-substitutes then wraps in `Markup()`, disabling auto-escaping. Inputs include category names sourced from imported CSV/PDF, so `<script>` in that data would render unescaped. ### Suggested fix Escape first: `re.sub(r'\*\*(.+?)\*\*', r'<strong>\1</strong>', str(markupsafe.escape(text)))`. _Filed by automated code review._
tonym added the
security
severity:high
labels 2026-06-06 19:58:10 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: bonna61/Moon-Household-Budget#6
No description provided.