Python Flask XSS中和(Veracode警报)
Hi具有以下触发Veracode警报的代码:Python Flask XSS中和(Veracode警报),python,flask,xss,cross-site,Python,Flask,Xss,Cross Site,Hi具有以下触发Veracode警报的代码: @app.route('/user/<username>', methods=['GET']) @login_required def user(username): username = str(escape(username)) if current_user.username == username: user = User.query.filter_by(username=username).fir
@app.route('/user/<username>', methods=['GET'])
@login_required
def user(username):
username = str(escape(username))
if current_user.username == username:
user = User.query.filter_by(username=username).first_or_404()
all_regions = Region.query.all()
return render_template('user_bs.html', user=user, all_regions=all_regions,
production_mode=app.config['PRODUCTION_MODE'],
manual_registration=app.config['AUTHENTICATION_METHODS']['MANUAL'])
return redirect(url_for('index'))
@app.route('/user/',方法=['GET'])
@需要登录
def用户(用户名):
用户名=str(转义(用户名))
如果当前_user.username==用户名:
user=user.query.filter\u by(username=username).first\u或\u 404()
all_regions=Region.query.all()
返回渲染模板('user\u bs.html',user=user,all\u regions=all\u regions,
生产模式=app.config[“生产模式”],
手动注册=app.config['AUTHENTICATION\u METHODS']['manual']
返回重定向(url_for('index'))
我想知道我能做些什么来中和它
在user_bs.html模板中,我用花括号、双引号等正确地包围了变量。。。
我还可以做些什么来防止XSS
这是模板:
{% extends "base.html" %}
{% block app_content %}
<div>
<table class="table">
<h3>My Profile</h3>
<tr >
<td>
<h1><img src="{{ user.avatar(32) }}"> {{ user.fullname }} </h1>
<p>Info: {{ user.description }}</p>
<p>Username: {{ user.username }}</p>
<p>Role: {% for role in user.roles %} {{ role }} {% endfor %}</p>
<p>Email: {{ user.email }}</p>
<p>Creation date: {{ user.creation_dt }}</p>
{% if user.last_seen %}<p>Last seen on: {{ user.last_seen }}</p>{% endif %}
</td>
</tr>
</table>
</div>
{% endblock %}
{%extends“base.html”%}
{%block app_content%}
我的个人资料
{{user.fullname}
信息:{{user.description}}
用户名:{{user.Username}
角色:{%for user.roles%}{{Role}}{%endfor%}
电子邮件:{{user.Email}
创建日期:{user.Creation_dt}
{%if user.last_seed%}上次在:{{{user.last_seed}}{%endif%}
{%endblock%}
和base.html:
{% extends 'bootstrap/base.html' %}
{% block title %}
{% if title %}{{ title }}
{% elif frontend %} {{ frontend.name }} - test
{% else %} test
{% endif %}
{% endblock %}
{% block head %}
<meta charset="UTF-8">
{{super()}}
<link rel="icon" type="image/png" href="{{url_for('static', filename='images/favicon.ico')}}">
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/animate.css/3.7.0/animate.min.css">
{% endblock %}
{% block navbar %}
<div id="main">
<nav class="navbar navbar-default">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="{{ url_for('index') }}"><img src="{{url_for('static', filename='images/logo_navbar.png')}}" width="90px" alt="test" /></a>
{% if frontend %}
{% if frontend.analytics %}
<button id='toggle_analytics' class="btn btn-default navbar-btn active"><span class="glyphicon glyphicon-signal"></span>  Dashboard</button>
<button id='toggle_filters' class="btn btn-default navbar-btn"><span class="glyphicon glyphicon-tasks"></span>  Reports</button>
{% else %}
<button id='toggle_filters' class="btn btn-default navbar-btn active"><span class="glyphicon glyphicon-tasks"></span>  Reports</button>
{% endif %}
{% endif %}
</div>
<ul class="nav navbar-nav">
{% if frontends|length > 0 %}
{% for region in regions|sort(attribute='name') %}
{% set prod_lst = [] %}
{% for frontend in frontends %}
{% if frontend.region == region and frontend.activate %}
{% set prod_lst = prod_lst.append(frontend.product) %}
{% endif %}
{% endfor %}
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">{{ region.name }} <span class="caret"></span></a>
<ul class="dropdown-menu">
{% for product in products|sort(attribute='name') %}
{% if product in prod_lst %}
<h6 class="dropdown-header">{{ product.name }}</h6>
{% for frontend in frontends|sort(attribute='name') %}
{% if frontend.region == region and frontend.product == product %}
{% if frontend.activate %}
<li><a href="{{ url_for('dashboard', product_code=frontend.product.product_code, frontend_code=frontend.frontend_code) }}">{{ frontend.name }}</a></li>
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
</ul>
</li>
{% endfor %}
{% endif %}
</ul>
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right">
{% if frontend %}
<p class="navbar-text align-right animated fadeInLeftBig animation-duration-500ms delay-3s" align="right"> {{ frontend.name }} :: <span class="glyphicon glyphicon-time"></span> {{ frontend.timezone.name }} :: <span id="clock"></span> </p>
{% else %}
<p class="navbar-text align-right animated fadeIn animation-duration-500ms" align="right"><span id="clock"></span> </p>
{% endif %}
{% if current_user.is_anonymous %}
<li><a href="{{ url_for('login') }}">Login</a></li>
{% else %}
<li><a href="{{ url_for('index') }}"><span class="glyphicon glyphicon-home"></span></a></li>
<li><a href="{{ url_for('user', username=current_user.username) }}" title="Profile {{ current_user.username }}"><span><img src="{{ current_user.avatar(20) }}"></span></a></li>
{% if current_user.roles[0].name == 'Admin' %}
<li><a href="{{ url_for('admin.index') }}"> <span class="glyphicon glyphicon-cog"></span> </a></li>
{% endif %}
<li><a href="{{ url_for('logout') }}" title="Logout"> <span class="glyphicon glyphicon-log-out"></span></a></li>
{% endif %}
</ul>
</div>
</div>
</nav>
{% endblock %}
{% block content %}
<div class="container-fluid animated fadeIn animation-duration-100ms">
{% block app_content %}
{% endblock %}
</div>
</div>
{{super()}}
{%- block footer %}
<footer class="text-center">© 2019 test</footer>
{%- endblock footer %}
{% endblock content%}
{% block scripts %}
{{super()}}
<script src="{{url_for('static', filename='js/animate/custom.js')}}"></script>
{% endblock %}
{%extends'bootstrap/base.html%}
{%block title%}
{%if title%}{{title}}
{%elif frontend%}{{frontend.name}-测试
{%else%}测试
{%endif%}
{%endblock%}
{%block head%}
{{super()}}
{%endblock%}
{%block navbar%}
切换导航
{%if前端%}
{%if frontend.analytics%}
 仪表板
 报告
{%else%}
 报告
{%endif%}
{%endif%}
{如果前端|长度>0%}
{区域中区域的百分比|排序(attribute='name')%}
{%set prod_lst=[]%}
{前端中前端的%}
{%if frontend.region==区域和frontend.activate%}
{%set prod_lst=prod_lst.append(frontend.product)%}
{%endif%}
{%endfor%}
-
{产品中产品的百分比|排序(attribute='name')%}
{%if产品在prod_lst%}
{{product.name}
{前端中前端的百分比|排序(属性='name')%}
{%if frontend.region==区域和frontend.product==产品%}
{%if frontend.activate%}
{%endif%}
{%endif%}
{%endfor%}
{%endif%}
{%endfor%}
{%endfor%}
{%endif%}
{%if前端%}
{%endblock%}
{%block content%}
{%block app_content%}
{%endblock%}
{{super()}}
{%-块页脚%}
&抄袭;2019年测试
{%-endblock footer%}
{%endblock内容%}
{%block scripts%}
{{super()}}
{%endblock%}
{%else%}
{%endif%}
{%如果当前_user.is_anonymous%}
{%else%}
{%如果是当前用户。角色[0]。名称=='管理员'%}
{%endif%}
{%endif%}
我通过简单地更改路线来修复它:
@app.route('/user', methods=['GET'])
@login_required
def user():
user = User.query.filter_by(username=current_user.username).first_or_404()
all_regions = Region.query.all()
return render_template('user_bs.html', user=user, all_regions=all_regions,
production_mode=app.config['PRODUCTION_MODE'],
manual_registration=app.config['AUTHENTICATION_METHODS']['MANUAL'])
我通过简单地改变路线来修复它:
@app.route('/user', methods=['GET'])
@login_required
def user():
user = User.query.filter_by(username=current_user.username).first_or_404()
all_regions = Region.query.all()
return render_template('user_bs.html', user=user, all_regions=all_regions,
production_mode=app.config['PRODUCTION_MODE'],
manual_registration=app.config['AUTHENTICATION_METHODS']['MANUAL'])
你需要向我们展示
user_bs.html
。我添加了相关的模板。在将用户名传递给sqlalchemy之前,你不需要转义用户名,sqlalchemy会为你处理它(username=str(escape(username))
)是的,我只是添加了这个作为测试,以查看Veracode是否停止告诉我存在XSS漏洞。。。但这并没有改变任何事情。这是一个非常简单的页面,但找不到XSS缺陷。Veracode返回的确切消息是什么?我不熟悉该产品,但我想它应该会向您指出相关的有问题的代码?它是否指向接受用户提供的参数的任何其他端点?您需要向我们显示user_bs.html
。我添加了相关的模板,您不需要转义