fixing XSS from issue #101

Author: Corentin

app/ontocreate/routes.py

@@ -1,6 +1,8 @@
 import json
 import os
 
+import bleach
+
 from app import db
 from app.historeport.onto_func import StandardVocabulary
 from app.models import ReportHisto
@@ -79,14 +81,15 @@ def modify_onto():
     with open(
         os.path.join(current_app.config["ONTOLOGY_FOLDER"], "ontology.json"), "w"
     ) as json_file:
-        json.dump(clean_tree, json_file, indent=4)
+        sanitized_json = json.loads(bleach.clean(json.dumps(clean_tree)))
+        json.dump(sanitized_json, json_file, indent=4)
 
     # Update All Reports to the latest Version of ontology
     template_ontology = StandardVocabulary(clean_tree)
     for report in ReportHisto.query.all():
         current_report_ontology = StandardVocabulary(report.ontology_tree)
-        updated_report_ontology = json.loads(
-            json.dumps(current_report_ontology.update_ontology(template_ontology))
+        updated_report_ontology = json.loads(bleach.clean(
+            json.dumps(current_report_ontology.update_ontology(template_ontology)))
         )
         # Issue: SQLAlchemy not updating JSON https://stackoverflow.com/questions/42559434/updates-to-json-field-dont-persist-to-db
 

poetry.lock

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "impatient"
-version = "1.5.0"
+version = "1.5.1"
 description = "IMPatienT: an integrated web application to digitize, process and explore multimodal patient data"
 authors = ["Corentin Meyer <[email protected]>"]
 license = "AGPL"
@@ -45,6 +45,7 @@ en_core_web_sm = { url = "https://github.com/explosion/spacy-models/releases/dow
 fr_core_news_sm = { url = "https://github.com/explosion/spacy-models/releases/download/fr_core_news_sm-3.2.0/fr_core_news_sm-3.2.0-py3-none-any.whl" }
 Flask-Cors = "^3.0.10"
 textacy = "^0.12.0"
+bleach = "^5.0.1"
 
 [tool.poetry.group.dev.dependencies]
 ruff = "^0.0.221"