Security: fix XSS vulnerabilities in health and grok routes (#124)

tests/security/test_xss_vulnerabilities.py

@@ -0,0 +1,50 @@
+import pytest
+from fastapi.testclient import TestClient
+from dashboard.app import app
+from config import settings
+import html
+
+@pytest.fixture
+def client():
+    return TestClient(app)
+
+def test_health_status_xss_vulnerability(client):
+    """Verify that the health status page escapes the model name."""
+    original_model = settings.ollama_model
+    malicious_model = '"><script>alert("XSS")</script>'
+    
+    try:
+        # Inject malicious model name into settings
+        settings.ollama_model = malicious_model
+        
+        response = client.get("/health/status")
+        assert response.status_code == 200
+        
+        # The malicious script should be escaped
+        escaped_model = html.escape(malicious_model)
+        assert escaped_model in response.text
+        assert malicious_model not in response.text
+    finally:
+        settings.ollama_model = original_model
+
+def test_grok_toggle_xss_vulnerability(client):
+    """Verify that the grok toggle card escapes the model name."""
+    original_model = settings.grok_default_model
+    malicious_model = '"><img src=x onerror=alert(1)>'
+    
+    try:
+        # Inject malicious model name into settings
+        settings.grok_default_model = malicious_model
+        
+        # We need to make grok available to trigger the render_toggle_card
+        # Since we're in test mode, we might need to mock this or just call the function
+        from dashboard.routes.grok import _render_toggle_card
+        
+        html_output = _render_toggle_card(active=True)
+        
+        # The malicious script should be escaped
+        escaped_model = html.escape(malicious_model)
+        assert escaped_model in html_output
+        assert malicious_model not in html_output
+    finally:
+        settings.grok_default_model = original_model