How can we prevent html injection in FastAPI?
Question
We are developing REST APIs using python framework called FastAPI. The code security test failed for html injection. They are sending some html tag code in the post payload, we are inserting that in DB and sending same in GET Response. Is there any way to prevent this HTML injection while processing request in FastAPI.
1 answers
solution1
5 2020-08-19 13:50:45
yes. No framework is going to magically change the content you get without you being explicit about it. (Imagine if it was a REST API for recording HTML snippets from an internal system to be used in rendering web pages in another endpoint: you'd need the HTML as is)
It is just a matter of calling a escape function on your input data, before putting that on the db.
Python's standard library html.escape function suffices in this case.
There is no code in your question, and I don't know FASTAPI by heart - but if it puts the payload in the DB without going through any code you write, then you should either customize that and put in this call to preprocess your data, or add a triggered stage (that is, an event subscriber) that will do that for you.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.