http-api: T6736: sanitize error message containing user input

vyos · Oct 1, 2024 · 621bdd8 · 621bdd8
1 parent 7e23fd9
commit 621bdd8
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/services/api/rest/models.py b/src/services/api/rest/models.py
@@ -17,6 +17,7 @@
 # pylint: disable=too-few-public-methods
 
 import json
+from html import escape
 from enum import Enum
 from typing import List
 from typing import Union
@@ -31,6 +32,7 @@
 
 
 def error(code, msg):
+    msg = escape(msg, quote=False)
     resp = {'success': False, 'error': msg, 'data': None}
     resp = json.dumps(resp)
     return HTMLResponse(resp, status_code=code)