Verify XSS fix for reflected cacheTimeout parameter (issue #2779)

[Copilot]

Issue #2779 reported a reflected XSS vulnerability at /render/?cacheTimeout=<payload> — when cacheTimeout is non-integer, Python's int() error message includes the raw user input, which was reflected unsanitized in the HTTP response.

Status

The fix is already present in the codebase via the handleInputParameterError decorator in webapp/graphite/errors.py, which applies htmlEscape() before returning any HttpResponseBadRequest:

def handleInputParameterError(f):
    def new_f(*args, **kwargs):
        try:
            return f(*args, **kwargs)
        except InputParameterError as e:
            msgStr = str(e)
            log.warning('%s', msgStr)
            return HttpResponseBadRequest(htmlEscape(msgStr))  # XSS safe
    return new_f

Error flow

• parseOptions() → int(queryParams.get('cacheTimeout', ...)) raises ValueError
• renderView() catches → re-raises as InputParameterError(str(e))
• @handleInputParameterError → returns HttpResponseBadRequest(htmlEscape(msgStr))

Test coverage

RenderXSSTest.test_render_xss in webapp/tests/test_xss.py directly exercises this path with a crafted XSS string across cacheTimeout, from, and until parameters, asserting a clean 400 response with no unescaped HTML. All 5 XSS tests pass.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[deniszh]

Empty commit, no need to merge