Patch for controllers/user.py

[beetle-ai]

Implemented HTML sanitization using the bleach library to escape potentially malicious code from the resume data before rendering it into the HTML template. This helps prevent XSS vulnerabilities in the generated PDF.Changes made:

• Replaced: template = Template(html_template) html_content = template.render(**template_data)
• With: import bleach template = Template(html_template) sanitized_data = {k: bleach.clean(v) if isinstance(...

Related Issue: #4e7d1c94-3b5a-4d4c-8e6a-5c9b8a7f3e2d

File: controllers/user.py
Branch: fix/1759586745888-1ubup → main

[beetle-ai]

🤖 CodeDetector Analysis

✅ Security Enhancement: Template Data Sanitization

File: controllers/user.py
Lines: 934-936
Severity: Medium

Problem

The original code was vulnerable to Cross-Site Scripting (XSS) attacks if the template_data contained malicious HTML or JavaScript. This could occur if the data originated from untrusted sources.

Current Code

template = Template(html_template)
html_content = template.render(**template_data)

Suggested Fix

import bleach
template = Template(html_template)
sanitized_data = {k: bleach.clean(v) if isinstance(v, str) else v for k, v in template_data.items()}
html_content = template.render(**sanitized_data)

Why This Fix Works

• The bleach.clean() function sanitizes the input data, removing any potentially harmful HTML tags or attributes.
• This prevents XSS attacks by ensuring that only safe content is rendered in the PDF.
• The code iterates through the template_data dictionary and sanitizes only the string values, leaving other data types untouched.

Additional Context

This change significantly improves the security of the resume generation feature by mitigating the risk of XSS vulnerabilities.

---

Powered by CodeDetector - AI-powered code analysis