Replace '<' and '>' for swarm 'host' field. Fix for XSS attack.

locustio · Oct 22, 2020 · 0d11817 · 0d11817
1 parent dd14aac
commit 0d11817
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/locust/web.py b/locust/web.py
@@ -139,7 +139,8 @@ def swarm():
             spawn_rate = float(request.form["spawn_rate"])
 
             if request.form.get("host"):
-                environment.host = str(request.form["host"])
+                # Replace < > to guard against XSS
+                environment.host = str(request.form["host"]).replace('<', '').replace('>', '')
 
             if environment.shape_class:
                 environment.runner.start_shape()