arno/isso
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

basic XSS protection m)

Browse Source
This commit is contained in:
posativ 2012-10-21 11:47:57 +02:00
parent 443eb2bbe1
commit a15338209b
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
isso/comment.py
View File

@ -3,6 +3,8 @@
# Copyright 2012, Martin Zimmermann <info@posativ.org>. All rights reserved. # Copyright 2012, Martin Zimmermann <info@posativ.org>. All rights reserved.
# License: BSD Style, 2 clauses. see isso/__init__.py # License: BSD Style, 2 clauses. see isso/__init__.py
import cgi
from werkzeug.wrappers import Response from werkzeug.wrappers import Response
from werkzeug.exceptions import abort from werkzeug.exceptions import abort
@ -17,7 +19,19 @@ def create(app, environ, request, path):
return abort(404) return abort(404)
try: try:
rv = app.db.add(path, models.Comment.fromjson(request.data)) comment = models.Comment.fromjson(request.data)
except ValueError:
return abort(400)
for attr in 'author', 'email', 'website':
if getattr(comment, attr) is not None:
try:
setattr(comment, attr, cgi.escape(getattr(comment, attr)))
except AttributeError:
abort(400)
try:
rv = app.db.add(path, comment)
except ValueError: except ValueError:
return abort(400) return abort(400)