fix(security): prevent XSS in proxy endpoint via json.dumps()

MarkusNeusinger · claude · MarkusNeusinger · commit 7deb69c98dc3 · 2026-01-05T22:42:41.000+01:00
CodeQL alert #84: target_origin was inserted into JavaScript without proper escaping. Fix uses json.dumps() to safely encode the origin string for JavaScript context, preventing XSS even if the origin contained special characters. - Add json import - Use json.dumps(target_origin) for safe JS string encoding - Update test to match double-quote format from json.dumps() 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/api/routers/proxy.py b/api/routers/proxy.py
@@ -1,5 +1,6 @@
 """HTML proxy endpoint for interactive plots with size reporting."""
 
+import json
 from urllib.parse import urlparse
 
 import httpx
@@ -14,7 +15,13 @@
 
 
 def get_size_reporter_script(target_origin: str) -> str:
-    """Generate size reporter script with specified target origin."""
+    """Generate size reporter script with specified target origin.
+
+    Uses json.dumps() to safely encode the origin string for JavaScript context,
+    preventing XSS even if the origin contained special characters.
+    """
+    # Safely encode for JavaScript string context (includes quotes)
+    safe_origin = json.dumps(target_origin)
     return f"""
 <script>
 (function() {{
@@ -41,7 +48,7 @@ def get_size_reporter_script(target_origin: str) -> str:
           type: 'pyplots-size',
           width: Math.ceil(width),
           height: Math.ceil(height)
-        }}, '{target_origin}');
+        }}, {safe_origin});
       }}
     }} catch (e) {{
       // Silently fail if postMessage is blocked
diff --git a/tests/unit/api/test_proxy.py b/tests/unit/api/test_proxy.py
@@ -257,12 +257,13 @@ class TestSizeReporterScript:
     def test_script_uses_specific_origin(self):
         """Script should use specific origin, not wildcard."""
         assert "'*'" not in SIZE_REPORTER_SCRIPT
+        assert '"*"' not in SIZE_REPORTER_SCRIPT
         # Use regex to verify postMessage uses specific origin, not substring check
         # This avoids CodeQL's "incomplete URL substring sanitization" false positive
-        # Pattern matches: }, 'https://pyplots.ai') - the end of the postMessage call
-        pattern = r"\},\s*'https://pyplots\.ai'\)"
+        # Pattern matches: }, "https://pyplots.ai") - json.dumps() produces double quotes
+        pattern = r'\},\s*"https://pyplots\.ai"\)'
         assert re.search(pattern, SIZE_REPORTER_SCRIPT), (
-            "postMessage must use specific origin 'https://pyplots.ai', not '*'"
+            'postMessage must use specific origin "https://pyplots.ai", not "*"'
         )
 
     def test_script_sends_pyplots_size_message(self):
