Skip to content

Sanitize form inputs: trim whitespace and escape HTML (client + server-side) #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
quamilek merged 7 commits into from
Dec 12, 2025
Merged

Sanitize form inputs: trim whitespace and escape HTML (client + server-side) #13

quamilek merged 7 commits into from
Dec 12, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 11, 2025
edited
Loading

Form Input Sanitization - Complete ✅

  • Analyze the codebase to understand form handling
  • Identify all form input fields (callsign, my_locator, filename)
  • Review existing sanitization (my_locator already has .strip())
  • Create a centralized input sanitization utility function
  • Apply trimming to callsign field
  • Ensure consistent sanitization across all text inputs
  • Add tests for whitespace trimming on all fields
  • Add tests to verify XSS protection (HTML escaping)
  • Run existing tests to ensure no regressions
  • Run linter to verify code quality - all clean
  • Run security scanner (CodeQL) - 0 alerts
  • Address code review feedback
  • Use Markup from Flask and | safe filter per reviewer request
  • Apply sanitization to ALL user-provided variables including filename
  • Add client-side JavaScript auto-trim for better UX

Implementation Summary:

Created sanitize_text_input() function in qsomap/upload.py that:

  • Trims leading/trailing whitespace (spaces, tabs, newlines)
  • Escapes HTML characters using Markup.escape() to prevent XSS
  • Returns Markup objects (not strings) to prevent double-escaping
  • Returns None for empty/whitespace-only strings

Applied sanitization to ALL user-provided text inputs:

  • callsign field (server + client-side)
  • my_locator field (server + client-side)
  • filename field (server-side only)

Template changes:

  • Added | safe filter to {{ callsign }} and {{ filename }} in qso_list.html
  • Markup objects are already safe, so Jinja2 won't double-escape them
  • Added JavaScript in main.html to auto-trim callsign and locator fields on the browser side

Client-Side Enhancement:

Added JavaScript to automatically trim whitespace from form fields for better user experience:

  • Trims on blur event (when user leaves field) for immediate visual feedback
  • Trims on form submit as final safety check before sending to server
  • Prevents common frustration with mobile keyboards auto-adding trailing spaces
  • Works in conjunction with server-side sanitization (defense in depth)

Testing Results:
✅ All 14 input sanitization tests pass (including new filename test)
✅ All 9 existing Flask tests pass
✅ All 23 tests pass with 0 linting errors
✅ CodeQL security scan: 0 alerts
✅ Code review: all feedback addressed

Security:

  • Defense-in-depth approach: client-side trim + server-side HTML escaping via Markup + explicit | safe in templates
  • XSS attempts are neutralized by converting special characters to HTML entities
  • No double-escaping issues - Markup objects signal to Jinja2 that content is already safe
  • ALL user-provided text variables are now sanitized (callsign, my_locator, filename)
  • Client-side trimming improves UX without compromising security (server still validates and sanitizes)
Original prompt

This section details on the original issue you should resolve

<issue_title>Obcinanie spacji w formularzu</issue_title>
<issue_description>Dobrze by było, aly formularz obcinał spacje/inne białe znaki w polach formularza. Na końcu i początku stringów.
Chrome / klawiatura na Androidzie wstawiło mój lokator "z pamięci", ale na końcu była spacja (może to klawiatura na telefonie dodaje automatycznie) i dostałem błąd, że nieprawidłowa forma.
Pierdoła, ale byłoby miło. No i czy tam inną sanityzację przetwarzanych tekstów masz?</issue_description>

<agent_instructions>Clean inserted text from form to avoid XSS or other potential security issue</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits December 11, 2025 20:16
@quamilek
Add input sanitization for form fields with comprehensive tests
0270373 
Co-authored-by: quamilek <695791+quamilek@users.noreply.github.com>
@quamilek
Fix linting issues - remove whitespace from blank lines
5853e0a 
Co-authored-by: quamilek <695791+quamilek@users.noreply.github.com>
@quamilek
Improve test comment clarity per code review feedback
c451d4e 
Co-authored-by: quamilek <695791+quamilek@users.noreply.github.com>
Copilot AI changed the title [WIP] Trim whitespace from form fields Sanitize form inputs: trim whitespace and escape HTML Dec 11, 2025
Copilot AI requested a review from quamilek December 11, 2025 20:23
@quamilek
Copy link
Owner

quamilek commented Dec 11, 2025

@copilot use | safe tag in all variables provided by user.
Use also Markup from flask framework

1 similar comment
@quamilek
Copy link
Owner

quamilek commented Dec 11, 2025

@copilot use | safe tag in all variables provided by user.
Use also Markup from flask framework

quamilek
quamilek requested changes Dec 11, 2025
View reviewed changes
Copy link
Owner

@quamilek quamilek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot use | safe tag in all variables provided by user.
Use also Markup from flask framework

@quamilek
Use Markup instead of str and add | safe filter in templates
9121ee6 
- Changed sanitize_text_input() to return Markup objects instead of strings
- Markup objects prevent double-escaping by Jinja2
- Added | safe filter in qso_list.html for callsign and filename variables
- Import Markup from markupsafe instead of escape function

Co-authored-by: quamilek <695791+quamilek@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 11, 2025

@copilot use | safe tag in all variables provided by user.
Use also Markup from flask framework

Done. Updated sanitize_text_input() to return Markup objects instead of strings, and added | safe filter to user-provided variables in the template (callsign and filename). This prevents double-escaping while maintaining XSS protection.

Commit: 9121ee6

Copilot AI requested a review from quamilek December 11, 2025 20:55
@quamilek
Sanitize filename variable to complete coverage of all user inputs
9f0358c 
- Apply sanitize_text_input() to file.filename before passing to template
- Ensures filename is also trimmed and HTML-escaped like other user inputs
- Add test case for filename sanitization with HTML characters
- All 23 tests pass with 0 linting errors

Co-authored-by: quamilek <695791+quamilek@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 11, 2025
edited
Loading

@copilot use | safe tag in all variables provided by user.
Use also Markup from flask framework

Completed. All user-provided variables now use Markup and | safe filter. Added sanitization for the filename variable which was previously missing.

Commit: 9f0358c

@copilot use | safe tag in all variables provided by user.
Use also Markup from flask framework

Completed. All user-provided variables now use Markup and | safe filter. Added sanitization for the filename variable which was previously missing.

Commit: 9f0358c

@quamilek
Copy link
Owner

quamilek commented Dec 12, 2025

@copilot Add automatic strip string to remove white characters on start and end call and locator field in form. Do it on the browser side in java script code

@quamilek
Add client-side JavaScript to auto-trim whitespace from form fields
f616ade 
- Add JavaScript in main.html template to trim callsign and locator fields
- Trim on blur event (when user leaves field) for immediate feedback
- Trim on form submit as final safety check before sending to server
- Complements existing server-side sanitization for better UX
- Prevents user frustration from trailing spaces added by mobile keyboards

Co-authored-by: quamilek <695791+quamilek@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 12, 2025

@copilot Add automatic strip string to remove white characters on start and end call and locator field in form. Do it on the browser side in java script code

Done. Added JavaScript to automatically trim whitespace from callsign and locator fields on the browser side. The trimming happens:

  • When user leaves the field (blur event) for immediate feedback
  • On form submit as a final safety check

This complements the existing server-side sanitization and provides better UX, especially for mobile users.

Commit: f616ade

Copilot AI changed the title Sanitize form inputs: trim whitespace and escape HTML Sanitize form inputs: trim whitespace and escape HTML (client + server-side) Dec 12, 2025
@quamilek quamilek marked this pull request as ready for review December 12, 2025 21:17
@quamilek quamilek merged commit 19c8328 into master Dec 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@quamilek quamilek quamilek approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@quamilek quamilek

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Obcinanie spacji w formularzu

2 participants

@quamilek