andrewmusselman opened a new issue, #554:
URL: https://github.com/apache/tooling-trusted-releases/issues/554
## Summary
This should be checked at write instead of read.
Database values are substituted into markdown before HTML conversion without
escaping, allowing XSS if database contains malicious content.
## ASVS Requirements
- 1.2.3 - Encoding close to interpreter
- 1.3.1 - Input validation
## Related Audit Reports
- [Cross-Site Scripting #398](ASVS/cross-site-scripting-398.md) - Section 4
## Affected Files
- `atr/construct.py:127-152`
## Current Behavior
```python
markdown = markdown.replace("[COMMITTEE]", committee.display_name)
markdown = markdown.replace("[PROJECT]", project.short_display_name)
# Values not escaped
```
## Recommended Fix
```python
import html
def safe_substitute(markdown: str, placeholder: str, value: str) -> str:
escaped_value = html.escape(value)
return markdown.replace(placeholder, escaped_value)
```
## Acceptance Criteria
- [ ] All substituted values escaped before markdown conversion
- [ ] Validate database values on input
- [ ] Consider parameterized templates
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
