Security: Missing Input Sanitization

[vjpixel]

Medium Security Issue

Missing input sanitization in forms.

File: src/core/forms.py
Severity: MEDIUM
Impact: XSS and injection attacks

Current Code

class CommentForm(forms.Form):
    content = forms.CharField(widget=forms.Textarea)

Suggested Fix

Add sanitization:

from django.core.exceptions import ValidationError
import bleach

class CommentForm(forms.Form):
    content = forms.CharField(widget=forms.Textarea)
    
    def clean_content(self):
        content = self.cleaned_data['content']
        # Sanitize HTML
        return bleach.clean(content, strip=True)

[pablodiegoss]

We don't have many tests to ensure injection isn't possible, however we used | safe transformers on most jinja templates. I'm not really sure we are vulnerable in any places, but adding explicit sanitizing with bleach could be a good measure to avoid future problems as explicit protection is always better than implicit.

LGTM