Skip to content

fix(security): escape template outputs and add template security tests#356

Open
Viraj0711 wants to merge 1 commit into
komalharshita:mainfrom
Viraj0711:security/sanitize-templates
Open

fix(security): escape template outputs and add template security tests#356
Viraj0711 wants to merge 1 commit into
komalharshita:mainfrom
Viraj0711:security/sanitize-templates

Conversation

@Viraj0711
Copy link
Copy Markdown

@Viraj0711 Viraj0711 commented May 20, 2026

Branch: security/sanitize-templates

Summary

This PR hardens server-side templates against XSS by escaping data injected into HTML and safely serializing values used in JavaScript. It also adds unit tests that render templates with malicious inputs to prevent regressions.

Related Issue

Closes: #355

Type of Change

  • Refactor / Security hardening
  • Test — adds new security tests

What Was Changed

File Change made
templates/project.html Escaped title, meta, description, features, roadmap steps, resources, tech tags. Used tojson for PROJECT_ID. Cleaned class names for badges.
tests/test_security.py Added test that renders project.html with malicious inputs and asserts content is escaped.
tests/test_index_security.py Added test that renders index.html with malicious stats and asserts escaping.

How to Test This PR

  1. Checkout branch: git checkout security/sanitize-templates
  2. Install dependencies: pip install -r requirements.txt
  3. Run all tests: python -m pytest -q

Expected test output (relevant lines):

tests/test_security.py .
tests/test_index_security.py .
... (other tests) ...
30 passed in 0.2s

Test Results

(Include CI output or paste results after running locally.)

Self-Review Checklist

  • Escaped all template values that render dynamic data.
  • Avoided |safe and uncontrolled HTML rendering.
  • Serialized JS-injected values safely using tojson.
  • Added tests that fail if a future change introduces unescaped output.
  • Ran full test suite locally and verified tests pass.

Notes for Reviewer

  • Manual review: check places where class names are derived from data (e.g., badge--{{ project.level | lower }}) to ensure they can't break markup — this PR normalizes spaces to hyphens for safety.
  • This PR focuses on server-side escaping. Consider follow-ups to: (a) adopt a whitelist sanitizer like bleach if any HTML should be allowed in data fields, and (b) scan client-side code (static/script.js) for unsafe DOM APIs (innerHTML, eval, document.write).

Suggested commit message

fix(security): escape template outputs and add XSS template tests

- Escape dynamic template variables in project and index templates
- Use tojson for safe JS serialization of PROJECT_ID
- Add tests that render templates with malicious inputs

You can copy-paste the Issue content above into a new GitHub Issue and the PR content into your PR description. If you want, I can also:

  • Open the PR for you (push branch and create PR), or
  • Add bleach and an example of a sanitized allowlist for fields that require HTML.

Which would you like next?

@vercel
Copy link
Copy Markdown

vercel Bot commented May 20, 2026

@Viraj0711 is attempting to deploy a commit to the komalsony234-1530's projects Team on Vercel.

A member of the Team first needs to authorize it.

@Viraj0711 Viraj0711 closed this May 20, 2026
@Viraj0711 Viraj0711 reopened this May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gssoc-2026 type:accessibility type:testing ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security (XSS): Sanitize template output and enable Jinja2 auto escaping across templates/endpoints

1 participant

@Viraj0711