fix: Patch XSS Vulnerability (#5754)

tests/integration_tests/test_spa.py

@@ -2,7 +2,8 @@ import pytest
 from bs4 import BeautifulSoup
 
 from mealie.routes import spa
-from mealie.schema.recipe.recipe import Recipe
+from mealie.schema.recipe.recipe import Recipe, RecipeSettings
+from mealie.schema.recipe.recipe_notes import RecipeNote
 from mealie.schema.recipe.recipe_share_token import RecipeShareTokenSave
 from tests import data as test_data
 from tests.utils.factories import random_string
@@ -189,3 +190,28 @@ async def test_spa_service_shared_recipe_with_meta_invalid_data(unique_user: Tes
 
     response = await spa.serve_shared_recipe_with_meta(group.slug, random_string(), session=unique_user.repos.session)
     assert response.status_code == 404
+
+
+@pytest.mark.parametrize(
+    "malicious_content, malicious_strings",
+    [
+        ("<script>alert('XSS');</script>", ["<script>", "alert('XSS')"]),
+        ("<img src=x onerror=alert('XSS')>", ["<img", "onerror=alert('XSS')"]),
+        ("<div onmouseover=alert('XSS')>Hover me</div>", ["<div", "onmouseover=alert('XSS')"]),
+        ("<a href='javascript:alert(\"XSS\")'>Click me</a>", ["<a", 'javascript:alert("XSS")']),
+    ],
+)
+def test_spa_escapes_malicious_recipe_data(unique_user: TestUser, malicious_content: str, malicious_strings: list[str]):
+    recipe = Recipe(
+        user_id=unique_user.user_id,
+        group_id=unique_user.group_id,
+        name=malicious_content,
+        description=malicious_content,
+        image=malicious_content,
+        notes=[RecipeNote(title=malicious_content, text=malicious_content)],
+        settings=RecipeSettings(),
+    )
+
+    response = spa.content_with_meta(unique_user.group_id, recipe)
+    for string in malicious_strings:
+        assert string not in response