From bd1cb498d18020c28df0ff747249289628198ba6 Mon Sep 17 00:00:00 2001
From: Martin Zimmermann <info@posativ.org>
Date: Tue, 22 Jul 2014 19:33:09 +0200
Subject: [PATCH] remove cgi.escape and simplify input sanitization

Escaping is done in Jade templates (by default).
---
 isso/views/api.py | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/isso/views/api.py b/isso/views/api.py
index f4e5f5a..4a27a7f 100644
--- a/isso/views/api.py
+++ b/isso/views/api.py
@@ -2,8 +2,6 @@
 
 from __future__ import unicode_literals
 
-import cgi
-
 from functools import partial
 
 from itsdangerous import SignatureExpired, BadSignature
@@ -100,24 +98,24 @@ class API(object):
 
         return obj
 
-    @xhr
-    @requires(str, 'uri')
-    def new(self, environ, request, uri):
-        data = request.get_json()
-
+    @classmethod
+    def sanitize(cls, data):
         if not isinstance(data, dict):
             raise BadRequest(400, "request data is not an object")
 
         for field in set(data.keys()) - API.ACCEPT:
             data.pop(field)
 
-        for field in ("author", "email", "website"):
-            if isinstance(data.get(field, None), string_types):
-                data[field] = cgi.escape(data[field])
-
         if isinstance(data.get("website", None), string_types):
             data["website"] = normalize(data["website"])
 
+        return data
+
+    @xhr
+    @requires(str, 'uri')
+    def new(self, environ, request, uri):
+        data = API.sanitize(request.get_json())
+
         remote_addr = utils.anonymize(str(request.remote_addr))
 
         with self.db.transaction:
@@ -174,7 +172,7 @@ class API(object):
         if rv[1] != sha1(comment.text):
             raise Forbidden
 
-        data = request.get_json()
+        data = API.sanitize(request.get_json())
 
         if not isinstance(data, dict):
             raise BadRequest(400, "request data is not an object")