def _encodeUnicode(params):
index = 0
for i in params:
# params can be a list or a dictonary
# we need to define k depending if it is a list or a dictonary
# in order to be able to do such a operation: params[k] = something.
if isinstance(params, dict):
param = params[i]
k = i
else:
param = i
k = index # since we are looping a list, we need to increment the index to
index += 1 # get the correct 'k' in the next iteration.
if isinstance(param, str) and param != "":
params[k] = encodeUnicode(param)
if params[k] == "":
raise MaKaCError(_("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"))
elif isinstance(param, list) or isinstance(param, dict):
Sanitization._encodeUnicode(param)
def _encodeUnicode(params):
index = 0
for i in params:
# params can be a list or a dictonary
# we need to define k depending if it is a list or a dictonary
# in order to be able to do such a operation: params[k] = something.
if isinstance(params, dict):
param = params[i]
k = i
else:
param = i
k = index # since we are looping a list, we need to increment the index to
index += 1 # get the correct 'k' in the next iteration.
if isinstance(param, str) and param != "":
params[k] = encodeUnicode(param)
if params[k] == "":
raise MaKaCError(_("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"))
elif isinstance(param, list) or isinstance(param, dict):
Sanitization._encodeUnicode(param)
def sanitizationCheck(target, params, accessWrapper):
# first make sure all params are utf-8
for param in params.keys():
if isinstance(params[param], str) and params[param] != "":
params[param] = encodeUnicode(params[param])
if params[param] == "":
raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str) and item != "":
params[param][i] = encodeUnicode(item)
if params[param][i] == "":
raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")
# then check the security level of data sent to the server
# if no user logged in, then no html allowed
if accessWrapper.getUser():
level = Config.getInstance().getSanitizationLevel()
elif target and hasattr(target, "canModify") and target.canModify(accessWrapper):
# not logged user, but use a modification key
level = Config.getInstance().getSanitizationLevel()
else:
level = 0
if level not in range(4):
level = 1
if level == 0:
#Escape all HTML tags
for param in params.keys():
if isinstance(params[param], str):
#the params is a string
params[param] = escape_html(params[param])
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str):
params[param][i] = escape_html(item)
# raise error if form or iframe tags are used
elif level == 1:
#level 1 or default
#raise error if script or style detected
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param])
if not restrictedHTML(params[param]):
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item)
if ret:
raise htmlScriptError(item)
if not restrictedHTML(item):
raise htmlForbiddenTag(item)
if ret:
raise htmlScriptError(params[param])
elif level == 2:
#raise error if script but style accepted
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param], allowStyle=True)
if ret:
raise htmlScriptError(params[param])
ret = restrictedHTML(params[param])
if not ret:
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item, allowStyle=True)
if ret:
raise htmlScriptError(item)
ret = restrictedHTML(item)
if not ret:
raise htmlForbiddenTag(item)
elif level == 3:
# Absolutely no checks
return
def escapeString(self, text):
tmp = encodeUnicode(text, self._sourceEncoding)
return saxutils.escape(tmp)
def escapeString(self,text):
tmp = encodeUnicode(text, self._sourceEncoding)
return saxutils.escape( tmp )
def sanitizationCheck(target, params, accessWrapper):
# first make sure all params are utf-8
for param in params.keys():
if isinstance(params[param], str) and params[param] != "":
params[param] = encodeUnicode(params[param])
if params[param] == "":
raise MaKaCError(
"Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"
)
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str) and item != "":
params[param][i] = encodeUnicode(item)
if params[param][i] == "":
raise MaKaCError(
"Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"
)
# then check the security level of data sent to the server
# if no user logged in, then no html allowed
if accessWrapper.getUser():
level = Config.getInstance().getSanitizationLevel()
elif target and hasattr(target,
"canModify") and target.canModify(accessWrapper):
# not logged user, but use a modification key
level = Config.getInstance().getSanitizationLevel()
else:
level = 0
if level not in range(4):
level = 1
if level == 0:
#Escape all HTML tags
for param in params.keys():
if isinstance(params[param], str):
#the params is a string
params[param] = escape_html(params[param])
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str):
params[param][i] = escape_html(item)
# raise error if form or iframe tags are used
elif level == 1:
#level 1 or default
#raise error if script or style detected
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param])
if not restrictedHTML(params[param]):
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item)
if ret:
raise htmlScriptError(item)
if not restrictedHTML(item):
raise htmlForbiddenTag(item)
if ret:
raise htmlScriptError(params[param])
elif level == 2:
#raise error if script but style accepted
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param], allowStyle=True)
if ret:
raise htmlScriptError(params[param])
ret = restrictedHTML(params[param])
if not ret:
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item, allowStyle=True)
if ret:
raise htmlScriptError(item)
ret = restrictedHTML(item)
if not ret:
raise htmlForbiddenTag(item)
elif level == 3:
# Absolutely no checks
return
def _lt(self, text):
return "\\n".join(encodeUnicode(text).splitlines())
def _lt(self, text):
return "\\n".join(encodeUnicode(text).splitlines())