From 67bc4475e906e39bdc08b9c0ea1700becffc9864 Mon Sep 17 00:00:00 2001 From: j <0x006A@0x2620.org> Date: Tue, 21 Feb 2012 21:56:06 +0530 Subject: [PATCH] first round of input sanitization --- pandora/annotation/utils.py | 10 ++-------- pandora/app/views.py | 2 +- pandora/event/views.py | 21 ++++++++++++++------- pandora/item/models.py | 10 ++++++++-- pandora/item/views.py | 4 ++-- pandora/itemlist/views.py | 6 ++++-- pandora/place/views.py | 19 +++++++++++++------ 7 files changed, 44 insertions(+), 28 deletions(-) diff --git a/pandora/annotation/utils.py b/pandora/annotation/utils.py index b7a3980f..a314b608 100644 --- a/pandora/annotation/utils.py +++ b/pandora/annotation/utils.py @@ -1,18 +1,12 @@ # -*- coding: utf-8 -*- # ci:si:et:sw=4:sts=4:ts=4 -import re import ox -import html5lib - def cleanup_value(value, layer_type): #FIXME: what about other types? location etc if layer_type == 'text': - value = sanitize_fragment(value) + value = ox.parse_html(value) else: - value = ox.stripTags(value) + value = ox.escape_html(value) return value -def sanitize_fragment(html): - return html5lib.parseFragment(html).toxml().decode('utf-8') - diff --git a/pandora/app/views.py b/pandora/app/views.py index 84198b02..a297c485 100644 --- a/pandora/app/views.py +++ b/pandora/app/views.py @@ -139,7 +139,7 @@ def editPage(request): page, created = models.Page.objects.get_or_create(name=data['name']) if not created: page.log() - page.text = data['text'] + page.text = ox.parse_html(data['text']) page.save() response = json_response({'name': page.name, 'text': page.text}) else: diff --git a/pandora/event/views.py b/pandora/event/views.py index 7b353df5..602dad94 100644 --- a/pandora/event/views.py +++ b/pandora/event/views.py @@ -31,22 +31,27 @@ def addEvent(request): exists = False names = [data['name']] + data.get('alternativeNames', []) for name in names: + name = ox.decodeHtml(name) if models.Event.objects.filter(defined=True, name_find__icontains=u'|%s|'%name).count() != 0: exists = True existing_names.append(name) if not exists: models.Event.objects.filter(defined=False, name__in=names).delete() - event = models.Event(name = data['name']) + data['name'] = ox.escape_html(data['name']) + event = models.Event(name=data['name']) for key in ('start', 'startTime', 'end', 'endTime', 'duration', 'durationTime', 'type', 'alternativeNames'): if key in data and data[key]: value = data[key] + if isinstance(value, basestring): + value = ox.escape_html(value) if key == 'alternativeNames': - value = tuple(value) + value = tuple([ox.escape_html(v) for v in value]) setattr(event, key, value) if 'nameSort' in data: - event.set_name_sort(data['nameSort']) + value = ox.escape_html(data['nameSort']) + event.set_name_sort(value) event.matches = 0 event.save() event.update_matches() @@ -83,17 +88,19 @@ def editEvent(request): conflict_names.append(name) if not conflict: models.Event.objects.filter(defined=False, name__in=names).delete() - if 'name' in data: - event.set_name_sort(data['name']) for key in ('name', 'start', 'startTime', 'end', 'endTime', 'duration', 'durationTime', 'type', 'alternativeNames'): if key in data: value = data[key] + if isinstance(value, basestring): + value = ox.escape_html(value) if key == 'alternativeNames': - value = tuple(value) + value = tuple([ox.escape_html(v) for v in value]) setattr(event, key, value) + if 'name' in data: + event.set_name_sort(ox.escape_html(data['name'])) if 'nameSort' in data: - event.set_name_sort(data['nameSort']) + event.set_name_sort(ox.escape_html(data['nameSort'])) event.save() if 'name' in data or 'alternativeNames' in data: event.update_matches() diff --git a/pandora/item/models.py b/pandora/item/models.py index 4b76ec5f..980111bd 100644 --- a/pandora/item/models.py +++ b/pandora/item/models.py @@ -226,14 +226,20 @@ class Item(models.Model): if not description: description = '' d, created = Description.objects.get_or_create(key=k, value=value) - d.description = description + d.description = ox.parse_html(description) d.save() for key in data: if data[key] == None: if key in self.data: del self.data[key] else: - self.data[key] = data[key] + k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys']) + if k and k.get('type') == 'text': + self.data[key] = ox.parse_html(data[key]) + elif isinstance(data[key], basestring): + self.data[key] = ox.escape_html(data[key]) + else: + self.data[key] = ox.escape_html(data[key]) return self.save() def log(self): diff --git a/pandora/item/views.py b/pandora/item/views.py index 8d521b56..2ca647cc 100644 --- a/pandora/item/views.py +++ b/pandora/item/views.py @@ -433,10 +433,10 @@ def edit(request): response = json_response(status=200, text='ok') if 'notes' in data: if request.user.get_profile().capability('canEditMetadata'): - item.notes = data['notes'] + item.notes = ox.parse_html(data['notes']) del data['notes'] if 'rightslevel' in data: - item.level = data['rightslevel'] + item.level = int(data['rightslevel']) del data['rightslevel'] if 'user' in data: if request.user.get_profile().get_level() in ('admin', 'staff') and \ diff --git a/pandora/itemlist/views.py b/pandora/itemlist/views.py index 35235545..1051ca05 100644 --- a/pandora/itemlist/views.py +++ b/pandora/itemlist/views.py @@ -3,6 +3,8 @@ from __future__ import division import os +import ox + from django.db.models import Max, Sum from django.db import transaction from django.http import HttpResponseForbidden, Http404 @@ -238,7 +240,7 @@ def addList(request): value = list.status list.status = value if 'description' in data: - list.description = data['description'] + list.description = ox.parse_html(data['description']) if 'view' in data: list.view = data['view'] if 'sort' in data: @@ -356,7 +358,7 @@ def editList(request): name = data['name'] + ' (%d)' % num list.name = name elif key == 'description': - list.description = data['description'] + list.description = ox.parse_html(data['description']) if 'position' in data: pos, created = models.Position.objects.get_or_create(list=list, user=request.user) diff --git a/pandora/place/views.py b/pandora/place/views.py index 08387117..8f82d2f5 100644 --- a/pandora/place/views.py +++ b/pandora/place/views.py @@ -50,13 +50,16 @@ def addPlace(request): if _exists: name = 'Untitled [%s]' %n n += 1 - names = [name] + data.get('alternativeNames', []) - for name in names: + data['alternativveNames'] = [ox.escape_html(n) + for n in data.get('alternativeNames', [])] + name = ox.escape_html(name) + for n in names: + n = ox.decodeHtml(name) if models.Place.objects.filter(defined=True, - name_find__icontains=u'|%s|'%name).count() != 0: + name_find__icontains=u'|%s|'%n).count() != 0: exists = True - existing_names.append(name) + existing_names.append(n) ''' if 'geoname' in data: if models.Place.objects.filter(defined=True, @@ -104,15 +107,17 @@ def editPlace(request): names = data.get('name', []) if isinstance(names, basestring): names = [names] + names = [ox.escape_html(n) for n in names] + alternative_names = [ox.escape_html(n) for n in data.get('alternativeNames', [])] + alternative_names = filter(lambda n: n.strip(), alternative_names) if place.editable(request.user): conflict = False conflict_names = [] conflict_geoname = '' - alternative_names = data.get('alternativeNames', []) if alternative_names: - alternative_names = filter(lambda n: n.strip(), alternative_names) data['alternativeNames'] = alternative_names for name in names + alternative_names: + name = ox.decodeHtml(name) if models.Place.objects.filter(defined=True, name_find__icontains=u'|%s|'%name).exclude(id=place.id).count() != 0: conflict = True @@ -129,6 +134,8 @@ def editPlace(request): for key in data: if key != 'id': value = data[key] + if isinstance(value, basestring): + value = ox.escape_html(value) if isinstance(value, list): value = tuple(value) setattr(place, key, value)