Resolve XSS vulnerability in local Wordnet browser (#3096)

By setting the Content-type to text/plain when an unknown path is used.
nltk · Dec 28, 2022 · c8cedf1 · c8cedf1
1 parent 2e11807
commit c8cedf1
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/nltk/app/wordnet_app.py b/nltk/app/wordnet_app.py
@@ -127,7 +127,12 @@ def do_GET(self):
             else:
                 # Handle files here.
                 word = sp
-                page = get_static_page_by_path(usp)
+                try:
+                    page = get_static_page_by_path(usp)
+                except FileNotFoundError:
+                    page = "Internal error: Path for static page '%s' is unknown" % usp
+                    # Set type to plain to prevent XSS by printing the path as HTML
+                    type = "text/plain"
         elif sp.startswith("search"):
             # This doesn't seem to work with MWEs.
             type = "text/html"
@@ -816,8 +821,7 @@ def get_static_page_by_path(path):
         return get_static_web_help_page()
     elif path == "wx_help.html":
         return get_static_wx_help_page()
-    else:
-        return "Internal error: Path for static page '%s' is unknown" % path
+    raise FileNotFoundError()
 
 
 def get_static_web_help_page():