Did you hear about the time when Santa became a web designer? He picked up coding with great enthusiasm. Each tag told a story, every element was a toy, and every attribute was a wish from a child around the world. He soon managed to build a website where children could easily send their letters filled with Christmas wishes, and the elves could more efficiently organize the toymaking process.
Today we are simulating an incident that happened shortly after Santa joined the web dev team at the North Pole.
Implement a POST endpoint /14/unsafe that takes some HTML content and unsafely renders it on a small HTML page.
If you choose to use a templating engine for this task, make sure you disable escaping to allow unsafe rendering.
curl -X POST http://localhost:8000/14/unsafe \
-H "Content-Type: application/json" \
-d '{"content": "<h1>Welcome to the North Pole!</h1>"}'
Make sure that no extra whitespace is rendered. The response content below is 124 bytes long.
<html>
<head>
<title>CCH23 Day 14</title>
</head>
<body>
<h1>Welcome to the North Pole!</h1>
</body>
</html>
Time to clean up the mess that Santa caused in Task 1. Show him how it's done in /14/safe by securely rendering the HTML against script injection.
curl -X POST http://localhost:8000/14/safe \
-H "Content-Type: application/json" \
-d '{"content": "<script>alert(\"XSS Attack!\")</script>"}'
<html>
<head>
<title>CCH23 Day 14</title>
</head>
<body>
<script>alert("XSS Attack!")</script>
</body>
</html>
You can now run our test cases against your locally running project with the official validator!