From f1bf3041783f1401629405a554e0528865cae8ca Mon Sep 17 00:00:00 2001 From: ZeroPath Date: Mon, 7 Jul 2025 22:41:54 +0000 Subject: [PATCH] fix: mitigate SSTI vulnerability by escaping user input in template --- owasp-top10-2021-apps/a3/sstype/src/server.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/owasp-top10-2021-apps/a3/sstype/src/server.py b/owasp-top10-2021-apps/a3/sstype/src/server.py index 4455395f3..bc6ac7b68 100644 --- a/owasp-top10-2021-apps/a3/sstype/src/server.py +++ b/owasp-top10-2021-apps/a3/sstype/src/server.py @@ -2,6 +2,7 @@ import tornado.ioloop import tornado.web import os +import tornado.escape TEMPLATE = open(os.path.join(os.path.dirname(__file__)) + "/public/index.html", 'r').readlines() @@ -13,9 +14,9 @@ class MainHandler(tornado.web.RequestHandler): def get(self): name = self.get_argument('name', '') - template_data = tmpl.replace("NAMEHERE",name) - t = tornado.template.Template(template_data) - self.write(t.generate(name=name)) + safe_name = tornado.escape.xhtml_escape(name) + response = tmpl.replace("NAMEHERE", safe_name) + self.write(response) application = tornado.web.Application([ (r"/", MainHandler), @@ -24,4 +25,4 @@ def get(self): if __name__ == '__main__': application.listen(10001) - tornado.ioloop.IOLoop.instance().start() \ No newline at end of file + tornado.ioloop.IOLoop.instance().start()