add sanitization to to_json output (#2287)

tomkralidis · tomkralidis · commit 22b8d492c111 · 2026-03-16T05:54:06.000-04:00
diff --git a/pygeoapi/util.py b/pygeoapi/util.py
@@ -261,8 +261,14 @@ def to_json(dict_: dict, pretty: bool = False) -> str:
     else:
         indent = None
 
-    return json.dumps(dict_, default=json_serial, indent=indent,
-                      separators=(',', ':'))
+    LOGGER.debug('Dumping JSON')
+    json_dump = json.dumps(dict_, default=json_serial, indent=indent,
+                           separators=(',', ':'))
+
+    LOGGER.debug('Removing < and >')
+    json_dump = json_dump.replace('<', '&lt').replace('>', '&gt')
+
+    return json_dump
 
 
 def format_datetime(value: str, format_: str = DATETIME_FORMAT) -> str:
diff --git a/tests/other/test_util.py b/tests/other/test_util.py
@@ -74,6 +74,17 @@ def test_get_typed_value():
     assert isinstance(value, bool)
 
 
+@pytest.mark.parametrize('data,minified,pretty_printed', [
+    [{'foo': 'bar'}, '{"foo":"bar"}', '{\n    "foo":"bar"\n}'],
+    [{'foo<script>alert("hi")</script>': 'bar'},
+     '{"foo&ltscript&gtalert(\\"hi\\")&lt/script&gt":"bar"}',
+     '{\n    "foo&ltscript&gtalert(\\"hi\\")&lt/script&gt":"bar"\n}']
+])
+def test_to_json(data, minified, pretty_printed):
+    assert util.to_json(data) == minified
+    assert util.to_json(data, pretty=True) == pretty_printed
+
+
 def test_yaml_load(config):
     assert isinstance(config, dict)
     with pytest.raises(FileNotFoundError):
