first round of input sanitization

2012-02-21 21:56:06 +05:30 · 2012-02-21 21:56:06 +05:30 · 67bc4475e9
commit 67bc4475e9
parent b62b58a967
7 changed files with 44 additions and 28 deletions
--- a/pandora/item/models.py
+++ b/pandora/item/models.py
@ -226,14 +226,20 @@ class Item(models.Model):
                if not description:
                    description = ''
                d, created = Description.objects.get_or_create(key=k, value=value)
-                d.description = description
+                d.description = ox.parse_html(description)
                d.save()
        for key in data:
            if data[key] == None:
                if key in self.data:
                    del self.data[key]
            else:
-                self.data[key] = data[key]
+                k = filter(lambda i: i['id'] == key, settings.CONFIG['itemKeys'])
+                if k and k.get('type') == 'text': 
+                    self.data[key] = ox.parse_html(data[key])
+                elif isinstance(data[key], basestring):
+                    self.data[key] = ox.escape_html(data[key])
+                else:
+                    self.data[key] = ox.escape_html(data[key])
        return self.save()

    def log(self):
--- a/pandora/item/views.py
+++ b/pandora/item/views.py
@ -433,10 +433,10 @@ def edit(request):
        response = json_response(status=200, text='ok')
        if 'notes' in data:
            if request.user.get_profile().capability('canEditMetadata'):
-                item.notes = data['notes']
+                item.notes = ox.parse_html(data['notes'])
            del data['notes']
        if 'rightslevel' in data:
-            item.level = data['rightslevel']
+            item.level = int(data['rightslevel'])
            del data['rightslevel']
        if 'user' in data:
            if request.user.get_profile().get_level() in ('admin', 'staff') and \