remove query string XSS from login token

2020-05-16 23:05:45 -05:00
parent e3a2e8eee4
commit 5c1a977a87
2 changed files with 6 additions and 0 deletions
--- a/capsulflask/auth.py
+++ b/capsulflask/auth.py
@ -71,6 +71,10 @@ def magiclink(token):
        session["account"] = email
        return redirect(url_for("console.index"))
    else:
+        # this is here to prevent xss
+        if not re.match(r"^[a-zA-Z0-9_-]+$", token):
+          token = '___________'
+
        abort(404, f"Token {token} doesn't exist or has already been used.")

@bp.route("/logout")