Prevent code execution from xml and other text files

Question

I'm writing a website in Flask that allows users to upload and then view text files (JSON and XML). I send JSON files with a Content-type header of application/json and I send XML with application/xml.

After the file has been uploaded from the form, I process the name using secure_filename(). I save the file to the server using the save() method on the file object. The files are saved to a directory on my server. Otherwise, I do not process the files; it is important that the xml tags remain intact for the purposes of my project since later on the users may choose to parse the files.

To serve the files back to the user, I use send_from_directory.

My question is, is this design vulnerable to XSS or code injection and, if so, how do I prevent such attacks?

Answer 1

No, your design is not vulnerable to XSS attacks. At no point do you use any user-supplied content in generating your web pages themselves.

The content passes through our site as a black box instead; from browser to your filesystem, then back to other HTTP clients that may choose to download the content again.

The filename you control entirely, you never read the contents of the file, you never take any of the file contents and put them into generated HTML content.

The only problem that may exist is that someone uploads a file that is not XML or JSON, really, but a file that exploits a vulnerability in whatever the downloader uses to parse the file. That's not a XSS attack however.