properly escape user names and list names

pandora/item/models.py

@@ -211,6 +211,7 @@ class Item(models.Model):
             groups = data.pop('groups')
             if isinstance(groups, list):
                 groups = filter(lambda g: g.strip(), groups)
+                groups = [ox.escape_html(g) for g in groups]
                 self.groups.exclude(name__in=groups).delete()
                 current_groups = [g.name for g in self.groups.all()]
                 for g in filter(lambda g: g not in current_groups, groups):
@@ -234,10 +235,21 @@ class Item(models.Model):
                     del self.data[key]
             else:
                 k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys'])
-                if k and k.get('type') == 'text': 
+                ktype = k and k[0].get('type') or ''
+                if ktype == 'text': 
                     self.data[key] = ox.parse_html(data[key])
+                elif ktype == '[text]': 
+                    self.data[key] = [ox.parse_html(t) for t in data[key]]
+                elif ktype == '[string]': 
+                    self.data[key] = [ox.escape_html(t) for t in data[key]]
                 elif isinstance(data[key], basestring):
                     self.data[key] = ox.escape_html(data[key])
+                elif isinstance(data[key], list):
+                    def cleanup(i):
+                        if isinstance(i, basestring):
+                            i = ox.escape_html(i)
+                        return i
+                    self.data[key] = [cleanup(i) for i in data[key]]
                 else:
                     self.data[key] = ox.escape_html(data[key])
         return self.save()

pandora/place/views.py

@@ -51,7 +51,7 @@ def addPlace(request):
                 name = 'Untitled [%s]' %n
             n += 1
     names = [name] + data.get('alternativeNames', [])
-    data['alternativveNames'] = [ox.escape_html(n)
+    data['alternativeNames'] = [ox.escape_html(n)
             for n in data.get('alternativeNames', [])]
     name = ox.escape_html(name)
     for n in names:

pandora/user/views.py

@@ -131,6 +131,8 @@ def signup(request):
     data = json.loads(request.POST['data'])
     if 'username' in data and 'password' in data:
         data['username'] = data['username'].strip()
+        if 'email' in data:
+            data['email'] = ox.escape_html(data['email'])
         if models.User.objects.filter(username__iexact=data['username']).count() > 0:
             response = json_response({
                 'errors': {
@@ -324,6 +326,8 @@ def editUser(request):
     if 'disabled' in data:
         user.is_active = not data['disabled']
     if 'email' in data:
+        if 'email' in data:
+            data['email'] = ox.escape_html(data['email'])
         if models.User.objects.filter(email__iexact=data['email']).exclude(id=user.id).count()>0:
             response = json_response(status=403, text='email already in use')
             return render_to_json_response(response)
@@ -338,6 +342,7 @@ def editUser(request):
         groups = data['groups']
         if isinstance(groups, list):
             groups = filter(lambda g: g.strip(), groups)
+            groups = [ox.escape_html(g) for g in groups]
             user.groups.exclude(name__in=groups).delete()
             current_groups = [g.name for g in user.groups.all()]
             for g in filter(lambda g: g not in current_groups, groups):
@@ -696,7 +701,7 @@ def editPreferences(request):
             errors['email'] = 'Email address already in use'
         else:
             change = True
-            request.user.email = data['email']
+            request.user.email = ox.escape_html(data['email'])
     if 'newsletter' in data:
         profile = request.user.get_profile()
         profile.newsletter = data['newsletter']