瀏覽代碼

Escape a potential HTML injection in highlighting if mwparser fails.

pull/24/head
Ben Kurtovic 12 年之前
父節點
當前提交
aa0b66a059
共有 2 個文件被更改,包括 3 次插入3 次删除
  1. +2
    -1
      toolserver/copyvios/highlighter.py
  2. +1
    -2
      toolserver/settings.py

+ 2
- 1
toolserver/copyvios/highlighter.py 查看文件

@@ -2,7 +2,7 @@

from re import sub, UNICODE

# TODO: escape if input contains pseudo-HTML
from markupsafe import escape

def highlight_delta(context, chain, delta):
processed = []
@@ -34,6 +34,7 @@ def highlight_delta(context, chain, delta):
return u"<br /><br />".join(processed)

def _highlight_word(word, before, after, is_first, is_last):
word = escape(word)
if before and after:
# Word is in the middle of a highlighted block, so don't change
# anything unless this is the first word (force block to start) or


+ 1
- 2
toolserver/settings.py 查看文件

@@ -8,7 +8,6 @@ from .sites import get_sites

def main(context, environ, headers, cookies):
query = Query(environ, method="POST")

if query.action == "set":
status = _do_set(query, headers, cookies)
elif query.action == "delete":
@@ -46,7 +45,7 @@ def _do_set(query, headers, cookies):
def _do_delete(query, headers, cookies):
if query.cookie in cookies:
delete_cookie(headers, cookies, query.cookie.encode("utf8"))
template = "Deleted cookie <b><tt>{0}</tt></b>."
template = u"Deleted cookie <b><tt>{0}</tt></b>."
return template.format(escape(query.cookie))
elif query.all:
number = len(cookies)


Loading…
取消
儲存