Skip to content

fix(security): sanitize color_hex on output to prevent CSS injection (v1.38.2)#60

Merged
iscarelli merged 1 commit into
mainfrom
fix/color-hex-css-injection
Jul 10, 2026
Merged

fix(security): sanitize color_hex on output to prevent CSS injection (v1.38.2)#60
iscarelli merged 1 commit into
mainfrom
fix/color-hex-css-injection

Conversation

@iscarelli

Copy link
Copy Markdown
Owner

Addresses a background security-review finding on the color swatch.

Finding (real, low severity)

color_hex is a free-text field (<input type="text">), stored verbatim (no validation in create_filament/update_filament), then interpolated into style="…background:{{ color_hex }}…" and SVG stroke. Jinja autoescaping blocks attribute breakout (quotes escaped) but not CSS/SVG-value injection inside the attribute (e.g. #f00;background:url(…)).

Why low severity: only admin/write users set colors; the strict CSP (default-src 'self'; img-src 'self' data:) blocks external resource loads (no CSS exfiltration); no expression() in modern browsers. Pre-existing pattern (spool list, both details, search) that the recent color column extended.

Fix (output layer — covers legacy data too)

  • New hexcolor Jinja filter: only passes a valid #RGB/#RRGGBB, else a neutral default.
  • Applied to all 13 sites: color swatches + donut strokes across spool/filament lists & details, search, label queue, inventory, plus the data-fill/data-color attributes read by JS.

Verification

  • run-tests.ps1: 174 tests, all green (new test_security_color.py: filter unit tests + a malicious color_hex payload proven neutralized in /spools and /filaments).

Deploy

PATCH (1.38.1 → 1.38.2). After merge: release v1.38.2 and update via /admin/update.

🤖 Generated with Claude Code

…(v1.38.2)

color_hex is a free-text field stored verbatim and interpolated into style="…"
and SVG stroke attributes. Jinja autoescaping blocks attribute breakout but not
CSS/SVG-value injection inside the attribute. New `hexcolor` Jinja filter only
lets a valid #RGB/#RRGGBB through (else a neutral default), applied to every color
swatch, donut stroke, and data-fill/data-color across spool/filament lists and
details, search, label queue, and inventory. Low severity (write-only sets colors;
the strict CSP already blocks external loads) but this is the correct output-layer
fix and also covers legacy stored data.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@iscarelli iscarelli merged commit d81160b into main Jul 10, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant