feat(utils): ✨ add cookie value sanitizer (hacktoolkit#423)

## Description - Adds `sanitize_cookie_value` utility function. --------- Co-authored-by: Jonathan Tsai <[email protected]>
BawsHuman · Apr 4, 2024 · 9c99e29 · 9c99e29
1 parent c7573de
commit 9c99e29
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/utils/text/sanitizers.py b/utils/text/sanitizers.py
@@ -0,0 +1,32 @@
+# Python Standard Library Imports
+import html
+import re
+
+# isort: off
+
+
+def sanitize_cookie_value(value: str) -> str:
+    """Sanitize Cookie Value
+
+    Sanitizes a cookie value by escaping HTML special characters and
+    removing non-alphanumeric characters, except for some safe ones like
+    hyphens and underscores.
+
+    Args:
+    - value (str): The cookie value to be sanitized.
+
+    Returns:
+    - str: The sanitized cookie value.
+
+    References:
+    - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
+    - https://stackoverflow.com/a/1969339
+    """
+    # Escape HTML special characters to prevent XSS
+    sanitized_value = html.escape(value)
+
+    # Further restrict to a safe set of characters
+    sanitized_value = re.sub(
+        r'[^a-zA-Z0-9-_!#$%&\'()*+-./:<=>?@[\]^_`{|}~]', '', sanitized_value
+    )
+    return sanitized_value