Fix code scanning alert no. 229: Reflected server-side cross-site scr…

…ipting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
tira-io · Dec 10, 2024 · 0105b62 · 0105b62
1 parent 0532ceb
commit 0105b62
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/application/src/tira_app/endpoints/vm_api.py b/application/src/tira_app/endpoints/vm_api.py
@@ -1,4 +1,5 @@
 import json
+import html
 import logging
 import shutil
 import uuid
@@ -513,21 +514,21 @@ def anonymous_upload(request, dataset_id):
             or not dataset["task"]
         ):
             return HttpResponseServerError(
-                json.dumps({"status": 1, "message": f"Uploads are not allowed for the dataset {dataset_id}."})
+                json.dumps({"status": 1, "message": f"Uploads are not allowed for the dataset {html.escape(dataset_id)}."})
             )
 
         if dataset["is_deprecated"]:
             return HttpResponseServerError(
                 json.dumps(
-                    {"status": 1, "message": f"The dataset {dataset_id} is deprecated and therefore allows no uploads."}
+                    {"status": 1, "message": f"The dataset {html.escape(dataset_id)} is deprecated and therefore allows no uploads."}
                 )
             )
 
         task = model.get_task(dataset["task"], False)
         if not task or not task["featured"]:
             return HttpResponseServerError(
                 json.dumps(
-                    {"status": 1, "message": f"The dataset {dataset_id} is deprecated and therefore allows no uploads."}
+                    {"status": 1, "message": f"The dataset {html.escape(dataset_id)} is deprecated and therefore allows no uploads."}
                 )
             )