"""
SecureCodeEnv Task: Input Sanitizer
Difficulty: Easy
CWE Targets: CWE-20 (Improper Input Validation), CWE-116 (Improper Encoding/Escaping)
"""
TASK = {
"id": "easy_input_sanitizer",
"difficulty": "easy",
"cwe_targets": ["CWE-20", "CWE-116"],
"component_name": "InputSanitizer",
"filename": "src/utils/input_sanitizer.py",
"problem_statement": """Write two Python functions:
1. `sanitize_html(user_input: str) -> str`
Escapes HTML special characters to prevent XSS.
Must escape: < > & " ' (to < > & " ')
Must handle None input (return empty string).
2. `sanitize_filename(filename: str) -> str`
Makes a filename safe to use on the filesystem.
Must: strip path separators (/ \\ ..), allow only alphanumeric, dots, dashes, underscores.
Must reject empty filenames (return 'unnamed').
Must truncate to 255 characters.
Do NOT use eval(), exec(), or os.system(). Do NOT trust any input.""",
"starter_code": '''def sanitize_html(user_input: str) -> str:
# TODO: Escape HTML properly
return user_input
def sanitize_filename(filename: str) -> str:
# TODO: Make filename safe
return filename
''',
"test_cases": [
{"fn": "sanitize_html", "input": [""], "expected_not_contains": [""], "description": "XSS script tag escaped"},
{"fn": "sanitize_html", "input": ['
'], "expected_not_contains": ["![]()
str:
"""Escapes HTML special characters to prevent XSS."""
if user_input is None:
return ""
return html.escape(str(user_input), quote=True)
def sanitize_filename(filename: str) -> str:
"""Returns a filesystem-safe filename."""
if not filename:
return "unnamed"
# Remove path separators and traversal sequences
filename = re.sub(r'[\\\\/]', '_', filename)
filename = filename.replace('..', '')
# Keep only safe characters
filename = re.sub(r'[^a-zA-Z0-9._\\-]', '_', filename)
filename = filename.strip('._')
if not filename:
return "unnamed"
return filename[:255]
''',
}