From 41695a3faa0c5fbd7f1da7e240772a547769ab21 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sun, 10 May 2026 23:41:31 -0400
Subject: [PATCH] security: escape user input in 403 error response to prevent
 XSS

The require_auth decorator was interpolating user['username'] and the
allowed_groups list directly into HTML strings. An attacker with a
crafted username or control over group names could inject arbitrary HTML.

Use html.escape() on both values before insertion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index 2b0f3e7..9b5833a 100644
--- a/app.py
+++ b/app.py
@@ -5,6 +5,7 @@ management UI. Authentication via Authelia forward-auth headers.
 All monitoring and alerting is handled by the separate monitor.py daemon.
 """
 import hashlib
+import html
 import ipaddress
 import json
 import logging
@@ -132,10 +133,12 @@ def require_auth(f):
             )
         allowed = _config().get('auth', {}).get('allowed_groups', ['admin'])
         if not any(g in allowed for g in user['groups']):
+            safe_user   = html.escape(user['username'])
+            safe_groups = html.escape(', '.join(allowed))
             return (
                 f'<h1>403 – Access denied</h1>'
-                f'<p>Your account ({user["username"]}) is not in an allowed group '
-                f'({", ".join(allowed)}).</p>',
+                f'<p>Your account ({safe_user}) is not in an allowed group '
+                f'({safe_groups}).</p>',
                 403,
             )
         return f(*args, **kwargs)