Fix code scanning alert no. 2: Reflected server-side cross-site scrip…

…ting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
telefonicaid · Oct 4, 2024 · 8ff9c5d · 8ff9c5d
1 parent f89231b
commit 8ff9c5d
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/scripts/accumulator-server.py b/scripts/accumulator-server.py
@@ -54,7 +54,7 @@
 import json
 import paho.mqtt.client as mqtt
 import threading
-
+import html
 
 def usage_and_exit(msg):
     """
@@ -353,9 +353,9 @@ def record_request(request):
     params = ''
     for k in request.args:
         if (params == ''):
-            params = k + '=' + request.args[k]
+            params = html.escape(k) + '=' + html.escape(request.args[k])
         else:
-            params += '&' + k + '=' + request.args[k]
+            params += '&' + html.escape(k) + '=' + html.escape(request.args[k])
 
     if (params == ''):
         s += '\n'
@@ -364,7 +364,7 @@ def record_request(request):
 
     # Store headers (according to pre-defined order)
     for h in sort_headers(request.headers.keys()):
-        s += h + ': ' + request.headers[h] + '\n'
+        s += h + ': ' + html.escape(request.headers[h]) + '\n'
 
     # Store payload
     if ((request.data is not None) and (len(request.data) != 0)):
@@ -377,7 +377,7 @@ def record_request(request):
             except ValueError as e:
                 s += str(e)
         else:
-            s += request.data.decode("utf-8")
+            s += html.escape(request.data.decode("utf-8"))
 
     # Separator
     s += '=======================================\n'