moin icon indicating copy to clipboard operation
moin copied to clipboard

Published 20 hours ago verified publisher icon moinwiki

Bandit B704: Potential XSS with markupsafe.Markup detected.

Open UlrichB22 opened this issue 9 months ago • 2 comments

Bandit reports since version 1.8.3 (17.02.2025) the following warning:

https://bandit.readthedocs.io/en/latest/plugins/b704_markupsafe_markup_xss.html

For example in src/moin/apps/frontend/views.py:667

IMO we have validated all content before using markupsafe.Markup and can ignore B704 warnings. Please advise.

UlrichB22 avatar Mar 08 '25 19:03 UlrichB22

Best I can do is to defer to you.

RogerHaase avatar Mar 10 '25 17:03 RogerHaase

Most recent articles on the web recommend using a sanitizer like bleach or better nh3 to prevent XSS attacks. I am not able to evaluate the converters and whether it is safe to use Markup() on their output.

Bleach is deprecated and there is this interesting short post on the conversion to nh3: https://daniel.feldroy.com/posts/2023-06-converting-from-bleach-to-nh3

UlrichB22 avatar Apr 01 '25 20:04 UlrichB22