also block XSS attempts in security middleware

syphar · syphar · commit 723ab2fe3751 · 2026-04-16T01:23:32.000+02:00
diff --git a/crates/bin/docs_rs_web/src/middleware/security.rs b/crates/bin/docs_rs_web/src/middleware/security.rs
@@ -50,6 +50,11 @@ fn validate_decoded_path(path: &str) -> Result<()> {
         bail!("detected `#` in request path");
     }
 
+    // `<` and `>` are never allowed — they indicate HTML injection attempts.
+    if path.contains('<') || path.contains('>') {
+        bail!("detected `<` or `>` in request path");
+    }
+
     Ok(())
 }
 
@@ -78,6 +83,9 @@ mod tests {
     #[test_case(
         "/crate/mika-cli/latest/source/..%25c1%259c..%25c1%259c..%25c1%259c..%25c1%259c..%25c1%259c..%25c1%259c..%25c1%259c..%25c1%259c/etc/passwd"
     )]
+    #[test_case(
+        "/mathru/0.10.0/i686-unknown-linux-gnu/mathru/special/hypergeometric/%3E%3Cscript%20defer%20src=%22https:/cdn.jsdelivr.net/npm/katex@0.10.1/dist/katex.min.js%22%20integrity=%22sha384-2BKqo+exmr9su6dir+qCw08N2ZKRucY4PrGQPP..."
+    )]
     async fn test_invalid_path(path: &str) -> Result<()> {
         let app = Router::new()
             .route("/{*inner}", get(|| async { StatusCode::OK }))
