From c8cedf10de2c235a2e07223918ec569a65a67152 Mon Sep 17 00:00:00 2001
From: Tom Aarsen <37621491+tomaarsen@users.noreply.github.com>
Date: Wed, 28 Dec 2022 14:58:43 +0100
Subject: [PATCH] Resolve XSS vulnerability in local Wordnet browser (#3096)

By setting the Content-type to text/plain when an unknown path is used.
---
 nltk/app/wordnet_app.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/nltk/app/wordnet_app.py b/nltk/app/wordnet_app.py
index 8a9a24e387..84c2447c71 100644
--- a/nltk/app/wordnet_app.py
+++ b/nltk/app/wordnet_app.py
@@ -127,7 +127,12 @@ def do_GET(self):
             else:
                 # Handle files here.
                 word = sp
-                page = get_static_page_by_path(usp)
+                try:
+                    page = get_static_page_by_path(usp)
+                except FileNotFoundError:
+                    page = "Internal error: Path for static page '%s' is unknown" % usp
+                    # Set type to plain to prevent XSS by printing the path as HTML
+                    type = "text/plain"
         elif sp.startswith("search"):
             # This doesn't seem to work with MWEs.
             type = "text/html"
@@ -816,8 +821,7 @@ def get_static_page_by_path(path):
         return get_static_web_help_page()
     elif path == "wx_help.html":
         return get_static_wx_help_page()
-    else:
-        return "Internal error: Path for static page '%s' is unknown" % path
+    raise FileNotFoundError()
 
 
 def get_static_web_help_page():