def send_twitter(room, token, limit=None):
conn = sqlite3.connect('../dbs/twitter.db')
c = conn.cursor()
cmd = "SELECT tweeter_name, tweeter_href, tweet_href, summary, display_pic FROM twitter WHERE timestamp = ?"
count = c.execute(cmd, (timestamp,))
if count.fetchone() == None or count.fetchone()[0] == 0:
print "No new records to push @ " + timestamp
else:
data = c.execute(cmd, (timestamp,))
rows = data.fetchall()
print rows
count = 0
for row in rows:
description = textwrap.wrap(utils.escape(row[3]), width=75)[0] + " [...]"
try:
message = "<img src=\"{0}\"></img> • {1}<br> <a href=\"{2}\">{3}</a> • <a href=\"{4}\">Permalink</a>".format(
"https://static.shubh.am/wsw/twitter_small.png", description.encode("utf-8"), utils.escape(row[1]).encode("utf-8"),
utils.escape(row[0]).encode("utf-8"), utils.escape(row[2]).encode("utf-8"))
except:
message = "error in encoding"
print message
if limit!= None and count != limit:
send_message(room, message, "green", token)
count += 1
elif limit == None:
send_message(room, message, "green", token)
def topic_browser_tree(tree, level=0):
s = ""
class_name = "topline"
for child in tree.children:
href = "#%s" % escape(child.id)
if not child.children:
if level == 0:
s += "<li class='solo'><a href='%s' class='menulink'>%s</a></li>" % (href, escape(child.title))
else:
s += "<li class='%s'><a href='%s'>%s</a></li>" % (class_name, href, escape(child.title))
else:
if level > 0:
class_name += " sub"
s += ("<li class='%s'>"
"<a href='%s'>%s</a>"
"<ul>" % (class_name, href, escape(child.title)))
s += topic_browser_tree(child, level=level + 1)
s += "</ul></li>"
class_name = ""
if level == 2:
s = "<span class='mobile-only'>%s</span>" % s
return s
def do_xmlattr(_eval_ctx, d, autospace=True):
"""Create an SGML/XML attribute string based on the items in a dict.
All values that are neither `none` nor `undefined` are automatically
escaped:
.. sourcecode:: html+jinja
<ul{{ {'class': 'my_list', 'missing': none,
'id': 'list-%d'|format(variable)}|xmlattr }}>
...
</ul>
Results in something like this:
.. sourcecode:: html
<ul class="my_list" id="list-42">
...
</ul>
As you can see it automatically prepends a space in front of the item
if the filter returned something unless the second parameter is false.
"""
rv = u' '.join(
u'%s="%s"' % (escape(key), escape(value))
for key, value in iteritems(d)
if value is not None and not isinstance(value, Undefined)
)
if autospace and rv:
rv = u' ' + rv
if _eval_ctx.autoescape:
rv = Markup(rv)
return rv
def user_edit(request):
user_id = request.POST.get("user_id")
user_name = request.POST.get("user_name")
user_password = request.POST.get("user_password")
user_email = request.POST.get("user_email")
user_group_id = request.POST.get("user_group_id")
if not user_name or not user_email or not user_group_id:
return redirect("add_a_user")
user_id = int(user_id)
user_name = utils.escape(user_name)
user_email = utils.escape(user_email)
hashed_password = None
if user_password:
hashed_password = hashers.make_password(password=user_password,
salt=settings.SALT)
user_group_id = int(user_group_id)
update_dict = {
"name": user_name,
"email": user_email,
"user_group_id": user_group_id
}
if hashed_password:
update_dict["password"] = hashed_password
User.objects.filter(id=user_id).update(**update_dict)
return redirect("add_a_user")
def register():
from flask import request
if request.method == 'POST':
name = str(utils.escape(request.json['name']))
email = str(utils.escape(request.json['email']))
password = pbkdf2_sha256.hash(request.json['pass'])
if len(name) != 0 and len(email) != 0 and len(password) != 0:
if email_validator(email):
conn = mysql.connect()
cursor = conn.cursor()
cursor.execute("SELECT * FROM User WHERE username = '******'")
data = cursor.fetchone()
if data is None:
cursor.execute(
'INSERT INTO User(username,email,password) VALUES(%s,%s,%s)',
[name, email, password])
conn.commit()
return "登録できました!"
else:
return "すでに同じユーザーネームのユーザーが存在します"
else:
return "正しいメールアドレスではありません"
else:
return "空のフィールドが存在します"
def topic_browser_tree(tree, level=0):
s = ""
class_name = "topline"
for child in tree.children:
if not child.has_children_of_type(["Topic", "Video", "Url"]):
continue
if not child.children or child.id in topic_models.Topic._super_topic_ids:
# special cases
if child.id == "new-and-noteworthy":
continue
elif child.standalone_title == "California Standards Test: Algebra I" and child.id != "algebra-i":
child.id = "algebra-i"
elif child.standalone_title == "California Standards Test: Geometry" and child.id != "geometry-2":
child.id = "geometry-2"
# show leaf node as a link
href = "#%s" % escape(slugify(child.id))
if level == 0:
s += "<li class='solo'><a href='%s' data-tag='TopicBrowser' class='menulink'>%s</a></li>" % (href, escape(child.title))
else:
s += "<li class='%s'><a href='%s' data-tag='TopicBrowser'>%s</a></li>" % (class_name, href, escape(child.title))
else:
if level > 0:
class_name += " sub"
s += "<li class='%s'>%s <ul>%s</ul></li>" % (class_name, escape(child.title), topic_browser_tree(child, level=level + 1))
class_name = ""
return s
def send_fulldisclosure(room, token, limit=None):
conn = sqlite3.connect('../dbs/fulldisclosure.db')
c = conn.cursor()
cmd = "SELECT title, link, date, description FROM fulldisclosure WHERE timestamp = ?"
count = c.execute(cmd, (timestamp,))
if count.fetchone() == None or count.fetchone()[0] == 0:
print "No new records to push @ " + timestamp
else:
data = c.execute(cmd, (timestamp,))
rows = data.fetchall()
print rows
count = 0
for row in rows:
description = textwrap.wrap(utils.escape(row[3]), width=25)[0] + " [...]"
try:
message = "<img src=\"{0}\"></img> New Mail: <a href=\"{1}\">{2}</a> • Posted on {3}: {4}".format(
"https://static.shubh.am/wsw/seclists_small.png", str(utils.escape(row[1])), str(utils.escape(row[0])), row[2], description)
except:
message = "error in encoding"
print message
if limit!= None and count != limit:
send_message(room, message, "purple", token)
count += 1
elif limit == None:
send_message(room, message, "purple", token)
def update(request):
import json
if request.method == 'POST':
response_data = {}
film = Film.objects.get(pk=request.POST.get('film'))
name = str(utils.escape(request.POST.get('name')))
year = str(utils.escape(request.POST.get('year')))
discript = str(utils.escape(request.POST.get('discription')))
if name:
film.f_name = name
if year:
film.f_year_creation = year
if discript:
film.f_discription = discript
film.save()
response_data['name'] = film.f_name
response_data['year'] = film.f_year_creation
response_data['discription'] = film.f_discription
return HttpResponse(json.dumps(response_data),
content_type="application/json")
else:
return HttpResponse(json.dumps({"result": "nothing has happened"}),
content_type="application/json")
def format_message_explicit_emotes(message, emotes, size="1.0"):
if not emotes:
return Markup(urlize(message).replace('<a ', '<a target="_blank" '))
# emotes format is
# <emoteid>:<start>-<end>[,<start>-<end>,...][/<emoteid>:<start>-<end>,.../...]
# eg:
# 123:0-2/456:3-6,7-10
# means that chars 0-2 (inclusive, 0-based) are emote 123,
# and chars 3-6 and 7-10 are two copies of emote 456
parsed_emotes = []
for emote in emotes.split('/'):
emoteid, positions = emote.split(':')
emoteid = int(emoteid)
for position in positions.split(','):
start, end = position.split('-')
start = int(start)
end = int(end) + 1 # make it left-inclusive, to be more consistent with how Python does things
parsed_emotes.append((start, end, emoteid))
parsed_emotes.sort(key=lambda x:x[0])
bits = []
prev = 0
for start, end, emoteid in parsed_emotes:
if prev < start:
bits.append(urlize(message[prev:start]).replace('<a ', '<a target="_blank" '))
url = escape("http://static-cdn.jtvnw.net/emoticons/v1/%d/%s" % (emoteid, size))
command = escape(message[start:end])
bits.append('<img src="%s" alt="%s" title="%s">' % (url, command, command))
prev = end
if prev < len(message):
bits.append(urlize(message[prev:]).replace('<a ', '<a target="_blank" '))
return Markup(''.join(bits))
def send_stackoverflow(room, token, limit=None):
conn = sqlite3.connect('../dbs/stackoverflow.db')
c = conn.cursor()
cmd = "SELECT title, link, answers, date, summary FROM stackoverflow WHERE timestamp = ?"
count = c.execute(cmd, (timestamp,))
if count.fetchone() == None or count.fetchone()[0] == 0:
print "No new records to push @ " + timestamp
else:
data = c.execute(cmd, (timestamp,))
rows = data.fetchall()
print rows
count = 0
for row in rows:
description = textwrap.wrap(utils.escape(row[4]), width=25)[0] + " [...]"
try:
message = "<img src=\"{0}\"></img> <a href=\"{1}\">{2}</a><br> {3} answers • {4}".format(
"https://static.shubh.am/wsw/stackoverflow_small.png", utils.escape(row[1]).encode("utf-8"), utils.escape(row[0]).encode("utf-8"),
utils.escape(row[2]).encode("utf-8"), utils.escape(row[3]).encode("utf-8"))
except:
message = "error in encoding"
print message
if limit!= None and count != limit:
send_message(room, message, "red", token)
count += 1
elif limit == None:
send_message(room, message, "red", token)
def label_badge(label, cls="", remove_from_ticket=None):
"""Return HTML markup rendering a label badge.
Additional HTML classes can be passed via the `cls` parameter.
If a Ticket is passed in `remove_from_ticket`, a removal button will also
be rendered for removing the label from given ticket.
"""
name = escape(label.name)
color = escape(label.text_color)
bg_color = escape(label.color)
html_class = escape(f"label {cls}".strip())
style = f"color: {color}; background-color: {bg_color}"
search_url = urls.label_search_url(label)
if remove_from_ticket:
remove_url = urls.label_remove_url(label, remove_from_ticket)
remove_form = f"""
<form method="POST" action="{remove_url}">
{csrf_token()}
<button type="submit" class="btn btn-link">
{icon('times')}
</button>
</form>
"""
else:
remove_form = ""
return Markup(
f"""<span style="{style}" class="{html_class}" href="{search_url}">
<a href="{search_url}">{name}</a>
{remove_form}
</span>""")
def send_hackerone_hacktivity(room, token, limit=None):
conn = sqlite3.connect('../dbs/hackerone_hacktivity.db')
c = conn.cursor()
cmd = "SELECT company, company_href, hunter, hunter_href, bounty, time_ago FROM hacktivity WHERE timestamp = ?"
count = c.execute(cmd, (timestamp,))
if count.fetchone() == None or count.fetchone()[0] == 0:
print "No new records to push @ " + timestamp
else:
data = c.execute(cmd, (timestamp,))
rows = data.fetchall()
print rows
count = 0
for row in rows:
try:
message = "<img src=\"{0}\"></img> <a href=\"{1}\">{2}</a> rewarded <a href=\"{3}\">{4}</a> with a {5} bounty. ({6})".format(
"https://static.shubh.am/wsw/hackerone_small.png", str(utils.escape(row[1])), str(utils.escape(row[0])), str(utils.escape(row[3])),
str(utils.escape(row[2])), str(utils.escape(row[4])), str(utils.escape(row[5])))
except:
message = "error in encoding"
print message
if limit!= None and count != limit:
send_message(room, message, "gray", token)
count += 1
elif limit == None:
send_message(room, message, "gray", token)
def send_netsec(room, token, limit=None):
conn = sqlite3.connect('../dbs/netsec.db')
c = conn.cursor()
cmd = "SELECT name, href, author, author_href, rep, comment_count, comment_href, domain FROM posts WHERE timestamp = ?"
count = c.execute(cmd, (timestamp,))
if count.fetchone() == None or count.fetchone()[0] == 0:
print "No new records to push @ " + timestamp
else:
data = c.execute(cmd, (timestamp,))
rows = data.fetchall()
print rows
count = 0
for row in rows:
try:
message = "<img src=\"{0}\"></img> <a href=\"{1}\">{2}</a> submitted by <a href=\"{3}\">{4}</a><br>{5} upvotes • <a href=\"{6}\">{7}</a> • <a href=\"{8}\">{9}</a>.".format(
"https://static.shubh.am/wsw/reddit_small.png", utils.escape(row[1]).encode("utf-8"), utils.escape(row[0]).encode("utf-8"), utils.escape(row[3]).encode("utf-8"),
utils.escape(row[2]).encode("utf-8"), utils.escape(row[4]).encode("utf-8"), utils.escape(row[6]).encode("utf-8"), utils.escape(row[5]).encode("utf-8"), "http://" + utils.escape(row[7]).encode("utf-8"),utils.escape(row[7]).encode("utf-8"))
except:
message = "error in encoding"
print message
if limit!= None and count != limit:
send_message(room, message, "green", token)
count += 1
elif limit == None:
send_message(room, message, "green", token)
def do_xmlattr(_eval_ctx, d, autospace = True):
rv = u' '.join((u'%s="%s"' % (escape(key), escape(value)) for key, value in d.iteritems() if value is not None and not isinstance(value, Undefined)))
if autospace and rv:
rv = u' ' + rv
if _eval_ctx.autoescape:
rv = Markup(rv)
return rv
def employee_attandance_save_viewlist_json(request):
attandance_data_filepath = request.GET.get("filepath")
attandance_list = {"total": 0, "rows": []}
if not attandance_data_filepath:
attandance_list["total"] = 1
attandance_list["rows"].append({"employee_id": "-", "employee_name": "-", "employee_gender": "-", "employee_position": "-",
"is_late": "-", "checktime": "-", "standardtime": "-"})
else:
if attandance_data_filepath.startswith(Employee._meta.app_label + "/files/") and attandance_data_filepath.endswith(".csv"):
try:
with open(attandance_data_filepath, encoding='UTF-8') as file_h:
standard_time_line = file_h.readline()
heading_line = file_h.readline()
data_line = file_h.readline()
standard_time = utils.escape(standard_time_line.split(",")[1])
attandance_list["total"] = 0
while data_line:
attandance_list["total"] += 1
data_line = data_line.strip()
attandance_item = data_line.split(",")
attandance_list["rows"].append(
{"employee_id": int(attandance_item[0]), "employee_name": utils.escape(attandance_item[1]),
"employee_gender": utils.escape(attandance_item[2]), "employee_position": utils.escape(attandance_item[3]),
"is_late": utils.escape(attandance_item[4]), "checktime": attandance_item[5], "standardtime": utils.escape(standard_time)})
data_line = file_h.readline()
except Exception as e:
logger.error(e)
attandance_list["rows"].append(
{"employee_id": "-", "employee_name": "文件处理出错", "employee_gender": "-", "employee_position": "-",
"is_late": "-", "checktime": "-", "standardtime": "-"})
return HttpResponse(json.dumps(attandance_list, ensure_ascii=False), content_type="application/json, charset=utf-8")
def topic_browser_tree(tree, level=0):
s = ""
class_name = "topline"
for child in tree.children:
href = "#%s" % escape(child.id)
if not child.children:
if level == 0:
s += "<li class='solo'><a href='%s' class='menulink'>%s</a></li>" % (href, escape(child.title))
else:
s += "<li class='%s'><a href='%s'>%s</a></li>" % (class_name, href, escape(child.title))
else:
if level > 0:
class_name += " sub"
s += ("<li class='%s'>"
"<a href='%s'>%s</a>"
"<ul>" % (class_name, href, escape(child.title)))
s += topic_browser_tree(child, level=level + 1)
s += "</ul></li>"
class_name = ""
if level == 2:
s = "<span class='mobile-only'>%s</span>" % s
return s
def _url_args(d, append=u'?', filter=[]):
from jinja2.utils import escape
rv = append + u'&'.join(u'%s=%s' % (escape(key), escape(value))
for key, value in d.iteritems(True)
if value is not None and key not in filter
# and not isinstance(value, Undefined)
)
return rv
def employee_attandance(request):
def check_file(file_h):
try:
standard_time_line = file_h.readline()
if len(standard_time_line.split(",")) != 2 or len(standard_time_line.split(",")[1].split(":")) != 2:
raise Exception("基准时间行格式错误")
heading_line = file_h.readline()
if len(heading_line.split(",")) != 6:
raise Exception("表头格式错误")
data_line = file_h.readline()
if not data_line:
raise EOFError()
line_no = 3
while data_line:
data_line = data_line.strip()
data_item = data_line.split(",")
if len(data_item) != 6:
raise Exception("数据行%s格式错误" % line_no)
try:
time.strptime(data_item[5].strip(), "%Y-%m-%d %H:%M:%S")
except Exception as e:
raise Exception("数据行%s日期格式错误: %s" % (line_no, data_item[5]))
data_line = file_h.readline()
line_no += 1
except EOFError:
return "数据缺失"
except Exception as e:
return str(e)
return ""
context = {}
error_msg = request.GET.get("error_msg")
ok_msg = request.GET.get("ok_msg")
filename = ""
if request.method == 'POST':
file_handler = request.FILES.get('upload_file')
if file_handler:
filename = Employee._meta.app_label + '/files/attandance-%s.csv' % uuid.uuid1()
with open(filename, 'wb') as destination:
for chunk in file_handler.chunks():
destination.write(chunk)
with open(filename, 'r', encoding='UTF-8') as f:
error_msg = check_file(f)
if error_msg:
os.remove(filename)
else:
error_msg = "提交文件不能为空"
if error_msg:
context["error_msg"] = utils.escape(error_msg)
if ok_msg:
context["ok_msg"] = utils.escape(ok_msg)
if filename and not error_msg:
context["grid_url"] = reverse("employee_attandance_save_viewlist_json") + "?filepath=" + filename
context["save_btn_redirect"] = reverse("employee_attandance_save") + "?filepath=" + filename
else:
context["grid_url"] = reverse("employee_attandance_save_viewlist_json")
context["save_btn_redirect"] = "not-allowed"
return render(request, "employee_attandance.html", context)
def do_xmlattr(_eval_ctx, d, autospace=True):
rv = u' '.join((u'%s="%s"' % (escape(key), escape(value))
for key, value in d.iteritems()
if value is not None and not isinstance(value, Undefined)))
if autospace and rv:
rv = u' ' + rv
if _eval_ctx.autoescape:
rv = Markup(rv)
return rv
def _url_args(d, append=u'?', filter=[]):
from jinja2.utils import escape
rv = append + u'&'.join(
u'%s=%s' % (escape(key), escape(value))
for key, value in d.iteritems(True)
if value is not None and key not in filter
# and not isinstance(value, Undefined)
)
return rv
def build_message_html(time, source, target, message, specialuser, usercolor,
emoteset, emotes, displayname):
if source.lower() == config['notifyuser']:
return '<div class="notification line" data-timestamp="%d">%s</div>' % (
time.timestamp(), escape(message))
if message[:4].lower() in (".me ", "/me "):
is_action = True
message = message[4:]
else:
is_action = False
ret = []
ret.append('<div class="line" data-timestamp="%d">' % time.timestamp())
if 'staff' in specialuser:
ret.append('<span class="badge staff"></span> ')
if 'admin' in specialuser:
ret.append('<span class="badge admin"></span> ')
if "#" + source.lower() == target.lower():
ret.append('<span class="badge broadcaster"></span> ')
if 'mod' in specialuser:
ret.append('<span class="badge mod"></span> ')
if 'turbo' in specialuser:
ret.append('<span class="badge turbo"></span> ')
if 'subscriber' in specialuser:
ret.append('<span class="badge subscriber"></span> ')
ret.append('<span class="nick"')
if usercolor:
ret.append(' style="color:%s"' % escape(usercolor))
ret.append('>%s</span>' % escape(displayname or
(yield from get_display_name(source))))
if is_action:
ret.append(' <span class="action"')
if usercolor:
ret.append(' style="color:%s"' % escape(usercolor))
ret.append('>')
else:
ret.append(": ")
if 'cleared' in specialuser:
ret.append('<span class="deleted"><message deleted></span>')
# Use escape() rather than urlize() so as not to have live spam links
# either for users to accidentally click, or for Google to see
ret.append('<span class="message cleared">%s</span>' % escape(message))
else:
messagehtml = yield from format_message(message,
emotes,
emoteset,
cheer='cheer' in specialuser)
ret.append('<span class="message">%s</span>' % messagehtml)
if is_action:
ret.append('</span>')
ret.append('</div>')
return ''.join(ret)
def post(request):
message = Message(body=escape(request.POST.get('body', '')),
author=escape(request.POST.get('author', '')))
if message.is_valid():
message.save()
body = {'status': 'SUCCESS'}
else:
body = dict(message.errors)
body.update({'status': 'FAILED'})
return Response(body=json.dumps(body))
def remove():
from flask import request, jsonify
if request.method == 'POST':
name = str(utils.escape(request.json['name']))
title = str(utils.escape(request.json['title']))
print(title)
conn = mysql.connect()
cursor = conn.cursor()
cursor.execute("DELETE FROM Task WHERE username ='******'AND title ='" + title + "'")
conn.commit()
return "タスクは削除されました"
def generate_report(results):
"""Generates HTML report from test results in JSON format."""
tests = []
for i, name in enumerate(sorted(results["test_cases"])):
test = results["test_cases"][name]
if "tags" in test:
name = "%(name)s [%(tags)s]" % {
"name": name,
"tags": ", ".join(test["tags"])
}
if "traceback" in test:
output = utils.escape(test["traceback"])
elif "reason" in test:
matcher = SKIP_RE.match(test["reason"])
if matcher:
href = LAUNCHPAD_BUG_LINK.format(matcher.group("bug_number"))
output = re.sub(matcher.group("bug_number"), href,
test["reason"])
else:
output = utils.escape(test["reason"])
else:
output = ""
tests.append({
"id": i,
"time": test["time"],
"name": name,
"output": output,
"status": test["status"]
})
template = ui_utils.get_template("verification/report.mako")
return template.render(
report={
"tests":
tests,
"total":
results["tests"],
"time":
"{0} ({1} s)".format(
datetime.timedelta(
seconds=round(float(results["time"]))), results["time"]),
"success":
results["success"],
"failures":
results["failures"],
"skipped":
results["skipped"],
"expected_failures":
results["expected_failures"],
"unexpected_success":
results["unexpected_success"]
})
def build_message_html(time, source, target, message, specialuser, usercolor, emoteset, emotes, displayname):
if source.lower() == config['notifyuser']:
return '<div class="notification line" data-timestamp="%d">%s</div>' % (time.timestamp(), escape(message))
if message[:4].lower() in (".me ", "/me "):
is_action = True
message = message[4:]
else:
is_action = False
ret = []
ret.append('<div class="line" data-timestamp="%d">' % time.timestamp())
if 'staff' in specialuser:
ret.append('<span class="badge staff"></span> ')
if 'admin' in specialuser:
ret.append('<span class="badge admin"></span> ')
if "#" + source.lower() == target.lower():
ret.append('<span class="badge broadcaster"></span> ')
if 'mod' in specialuser:
ret.append('<span class="badge mod"></span> ')
if 'turbo' in specialuser:
ret.append('<span class="badge turbo"></span> ')
if 'subscriber' in specialuser:
ret.append('<span class="badge subscriber"></span> ')
ret.append('<span class="nick"')
if usercolor:
ret.append(' style="color:%s"' % escape(usercolor))
ret.append('>%s</span>' % escape(displayname or (yield from get_display_name(source))))
if is_action:
ret.append(' <span class="action"')
if usercolor:
ret.append(' style="color:%s"' % escape(usercolor))
ret.append('>')
else:
ret.append(": ")
if 'cleared' in specialuser:
ret.append('<span class="deleted"><message deleted></span>')
# Use escape() rather than urlize() so as not to have live spam links
# either for users to accidentally click, or for Google to see
ret.append('<span class="message cleared">%s</span>' % escape(message))
elif emotes is not None:
messagehtml = format_message_explicit_emotes(message, emotes)
ret.append('<span class="message">%s</span>' % messagehtml)
else:
messagehtml = format_message(message, (yield from get_filtered_emotes(emoteset)))
ret.append('<span class="message">%s</span>' % messagehtml)
if is_action:
ret.append('</span>')
ret.append('</div>')
return ''.join(ret)
def thumbnail_link_dict(video=None, exercise=None, thumb_url=None):
link_dict = None
if video:
link_dict = {
"href": "/video/%s" % video.readable_id,
"thumb_urls":
models.Video.youtube_thumbnail_urls(video.youtube_id),
"title": video.title,
"desc_html": templatetags.video_name_and_progress(video),
"teaser_html": video.description,
"youtube_id": video.youtube_id,
"marquee": ("marquee" in video.keywords),
"selected": False,
"key": video.key(),
"type": "video-thumb",
}
if exercise:
link_dict = {
"href":
exercise.relative_url,
"thumb_urls": {
"hq": thumb_url,
"sd": thumb_url
},
"desc_html":
escape(exercise.display_name),
"teaser_html":
"Exercise your <em>%s</em> skills" % escape(exercise.display_name),
"youtube_id":
"",
"marquee":
False,
"selected":
False,
"key":
exercise.key(),
"type":
"exercise-thumb",
}
if link_dict:
if len(link_dict["teaser_html"]) > 60:
link_dict[
"teaser_html"] = link_dict["teaser_html"][:60] + "…"
return link_dict
return None
def update():
from flask import request, jsonify
if request.method == 'POST':
name = str(utils.escape(request.json['name']))
title = str(utils.escape(request.json['title']))
status = request.json["status"]
conn = mysql.connect()
cursor = conn.cursor()
cursor.execute("UPDATE "
"Task SET status ='" + status + "'WHERE username ='******'AND title ='" + title + "'")
conn.commit()
return "タスクは完了しました"
def group_add(request):
group_name = request.POST.get("group_name")
group_remark = request.POST.get("group_remark")
if not group_name:
return redirect("add_a_usergroup")
group_name = utils.escape(group_name)
if group_remark:
group_remark = utils.escape(group_remark)
else:
group_remark = ""
new_usergroup = UserGroup(name=group_name, remark=group_remark)
new_usergroup.save()
return redirect("add_a_usergroup")
def xmlattr (self, * ds, ** kw) :
"""Convert (sorted) items of dict `d` to SGML/XML attribute string.
This is similar to jinja's `xmlattr` filter but ensures
deterministic output by sorting by attribute name.
"""
from jinja2.utils import escape
d = self.filtered_dict (* ds, ** kw)
result = " ".join \
( '%s="%s"' % (escape (k), escape (v))
for k, v in sorted (pyk.iteritems (d), key = TFL.Getter [0])
)
return (" " + result) if result else ""
def xmlattr (self, * ds, ** kw) :
"""Convert (sorted) items of dict `d` to SGML/XML attribute string.
This is similar to jinja's `xmlattr` filter but ensures
deterministic output by sorting by attribute name.
"""
from jinja2.utils import escape
d = self.filtered_dict (* ds, ** kw)
result = " ".join \
( '%s="%s"' % (escape (k), escape (v))
for k, v in sorted (pyk.iteritems (d), key = TFL.Getter [0])
)
return (" " + result) if result else ""
def comment(pagename):
if request.is_xhr is True:
if not 0 < len(request.form["data"]) <= 500:
return jsonify(res="error")
comment = str(utils.escape(request.form["data"])) # for xss filtering
icon = str(utils.escape(request.form["icon"])) # for xss filtering
id = models.Comment().add(pagename=pagename, username=session["username"], comment=comment) # コメントのIDを返す。このIDはMongoDBの備え付けのIDではない
data = "<div class='comment' data-id='%s'><div class='pic'><img src='%s' style='width:45px;height:45px;' alt=''></div><div class='content'>\
<div class='flright'><a href='#' data-gifId='%s' data-comId='%s'>x</a></div>\
<a href='/%s'>%s</a><br>%s<p style='clear:both;float:none;'></p></div></div>" % (id, icon, pagename, id, session["username"], session["username"], comment)
return jsonify(res=data)
def thumbnail_link_dict(video=None, exercise=None, thumb_url=None,
parent_topic=None):
link_dict = None
if video:
if parent_topic:
href = "/%s/v/%s" % (parent_topic.get_extended_slug(),
video.readable_id)
else:
href = "/video/%s" % video.readable_id
link_dict = {
"href": href,
"thumb_urls": (
video_models.Video.youtube_thumbnail_urls(video.youtube_id)),
"title": video.title,
"desc_html": templatetags.video_name_and_progress(video),
"teaser_html": unicode(video.description),
"youtube_id": video.youtube_id,
"marquee": ("marquee" in video.keywords),
"selected": False,
"key": unicode(video.key()),
"type": "video-thumb",
}
if exercise:
link_dict = {
"href": exercise.relative_url,
"thumb_urls": {"hq": thumb_url, "sd": thumb_url},
"desc_html": escape(exercise.display_name),
"teaser_html": ("Exercise your <em>%s</em> skills"
% escape(exercise.display_name)),
"youtube_id": "",
"marquee": False,
"selected": False,
"key": exercise.key(),
"type": "exercise-thumb",
}
if link_dict:
if link_dict["teaser_html"] and len(link_dict["teaser_html"]) > 60:
link_dict["teaser_html"] = (link_dict["teaser_html"][:60]
+ "…")
return link_dict
return None
def post(self):
subject = request.form.get("subject")
message = request.form.get("message")
name = request.form.get("name")
email = request.form.get("email")
subject = str(utils.escape(subject))
message = str(utils.escape(message))
name = str(utils.escape(name))
email = str(utils.escape(email))
smtp_server = current_app.config['MAIL_SERVER']
port = current_app.config['MAIL_PORT']
sender_email = current_app.config['MAIL_DEFAULT_SENDER']
mail_username = current_app.config['MAIL_USERNAME']
receiver_email = current_app.config['MAIL_DEFAULT_SENDER']
password = current_app.config['MAIL_PASSWORD']
msg = MIMEMultipart("alternative")
msg["Subject"] = subject
msg["From"] = sender_email
msg["To"] = receiver_email
text = "A message from the contact form: " + \
message + ". From: " + name + "(" + email + ")"
html = "<h2>A message from the contact form</h2><p>" + \
message + "</p><p>From: " + name + "(" + email + ")"
part1 = MIMEText(text, "plain")
part2 = MIMEText(html, "html")
msg.attach(part1)
msg.attach(part2)
context = ssl.create_default_context()
with smtplib.SMTP(smtp_server, port=port,
local_hostname="127.0.0.1") as server:
try:
server.starttls(context=context)
server.login(mail_username, password)
server.send_message(msg, sender_email, receiver_email)
message = "Thank you for your message. We'll get back to you as soon as possible. <a href=\"/\">Home</a>"
flash(message, 'info')
except Exception as e:
error = "Sorry, your message could not be sent. Please try again later. <a href=\"/\">Home</a>"
flash(error, 'error')
return redirect(url_for('contact'))
def visit_Output(self, node, frame=None):
if self.has_known_extends and frame.require_output_check:
return
outdent_later = False
if frame.require_output_check:
self.writeline("if (parentTemplate === undefined) {")
outdent_later = True
body = []
for child in node.nodes:
try:
const = child.as_const()
except nodes.Impossible:
body.append(child)
continue
try:
if self.environment.autoescape:
if hasattr(const, "__html__"):
const = const.__html__()
else:
const = escape(const)
const = unicode(const)
except Exception, e:
# if something goes wrong here we evaluate the node
# at runtime for easier debugging
body.append(child)
continue
if body and isinstance(body[-1], list):
body[-1].append(const)
else:
body.append([const])
def do_join(eval_ctx, value, d=u""):
"""Return a string which is the concatenation of the strings in the
sequence. The separator between elements is an empty string per
default, you can define it with the optional parameter:
.. sourcecode:: jinja
{{ [1, 2, 3]|join('|') }}
-> 1|2|3
{{ [1, 2, 3]|join }}
-> 123
"""
# no automatic escaping? joining is a lot eaiser then
if not eval_ctx.autoescape:
return unicode(d).join(imap(unicode, value))
# if the delimiter doesn't have an html representation we check
# if any of the items has. If yes we do a coercion to Markup
if not hasattr(d, "__html__"):
value = list(value)
do_escape = False
for idx, item in enumerate(value):
if hasattr(item, "__html__"):
do_escape = True
else:
value[idx] = unicode(item)
if do_escape:
d = escape(d)
else:
d = unicode(d)
return d.join(value)
# no html involved, to normal joining
return soft_unicode(d).join(imap(soft_unicode, value))
def _to_br(self, text):
""" Replaces \n by <br />
Inspired from http://jinja.pocoo.org/docs/dev/api/#custom-filters
"""
result = '<br />'.join(p for p in self._TEXT_LINEBREAK_RE.split(escape(text)))
return Markup(result)
def employee_attandance_save(request):
attandance_data_filepath = request.GET.get("filepath")
msgs = {}
attandance_list = []
if attandance_data_filepath:
if attandance_data_filepath.startswith(Employee._meta.app_label + "/files/") and attandance_data_filepath.endswith(".csv"):
try:
with open(attandance_data_filepath, encoding='UTF-8') as file_h:
standard_time_line = file_h.readline()
heading_line = file_h.readline()
data_line = file_h.readline()
standard_time = utils.escape(standard_time_line.split(",")[1])
while data_line:
data_line = data_line.strip()
attandance_item = data_line.split(",")
late_type = 0
if attandance_item[4] == "是":
late_type = 1
attandance_list.append(EmployeeAttendance(**{"employee_id": int(attandance_item[0]), "type": late_type,
"check_time": attandance_item[5].strip(), "standard_time": standard_time}))
data_line = file_h.readline()
EmployeeAttendance.objects.bulk_create(attandance_list)
msgs["ok_msg"] = "保存成功"
except Exception as e:
logger.error(e)
msgs["error_msg"] = "保存失败, 请重新提交"
if os.path.isfile(attandance_data_filepath):
os.remove(attandance_data_filepath)
return redirect("employee_attandance/?" + urlencode(msgs))
def __init__(self, verifications):
self._runs = verifications
self._uuids = list(verifications.keys())
# NOTE(amaretskiy): make aggregated list of all tests
tests = {}
for uuid, verification in self._runs.items():
for name, test in verification["tests"].items():
if name not in tests:
# NOTE(amaretskiy): it is suitable to see resource id
# at first place in the report
tags = sorted(test["tags"], reverse=True,
key=lambda tag: tag.startswith("id-"))
tests[name] = {"name": name,
"tags": tags,
"by_verification": {},
"has_details": False}
tests[name]["by_verification"][uuid] = {
"status": test["status"], "duration": test["duration"],
"details": test["details"]}
if test["details"]:
tests[name]["has_details"] = True
match = self.SKIP_RE.match(test["details"])
if match:
href = self.LP_BUG_LINK.format(
match.group("bug_number"))
test["details"] = re.sub(
match.group("bug_number"), href, test["details"])
test["details"] = jinja_utils.escape(test["details"])
self._tests = list(tests.values())
def empty_and_escape(value):
''' returns '' for a None value else escapes the content useful for form
elements. '''
if value is None:
return ''
else:
return escape(value)
def _send_mail(self, maybe_mistake=False):
"""
Send mail
:return: boolean
"""
if len(self.content) == 0:
logger.info('none content for send mail')
return True
if maybe_mistake:
title = '〔GSIL〕MB_MT '
else:
title = '〔GSIL〕'
subject = '{title}[{types}] [{rule_name}] {count}'.format(title=title, types=self.rule_object.types, rule_name=self.rule_object.corp, count=len(self.content))
to = get('mail', 'to')
html = '<h3>Rule: {rule_regex} Count: {count} Datetime: {datetime}</h3>'.format(rule_regex=self.rule_object.keyword, datetime=time.strftime("%Y-%m-%d %H:%M:%S"), count=len(self.content))
for i, v in self.content.items():
html += '<h3>({i})<a href="{url}">{hash}</a> {repository}/{path}</h3>'.format(i=i, url=v['url'], hash=v['hash'][:6], repository=v['repository'], path=v['path'])
if len(v['match_codes']) > 0:
code = ''
for c in v['match_codes']:
code += '{c}<br>'.format(c=utils.escape(c))
html += '<code>{code}</code><hr>'.format(code=code)
self._save_file(v['hash'], v['code'])
html += '</table></body>'
return Notification(subject, to).notification(html)
def empty_and_escape(value):
""" returns '' for a None value else escapes the content useful for form
elements. """
if value is None:
return ""
else:
return escape(value)
def set_user_passiv(gid, uid):
game = Game.query.filter_by(UUID=gid).first()
user = User.query.get_or_404(uid)
if game is None:
response = jsonify(Message='Game not found')
response.status_code = 404
return response
data = request.get_json() or {}
if 'userstate' in data:
escapeduserstate = str(utils.escape(data['userstate']))
val = escapeduserstate.lower() in ['true', '1']
user.passive = val
# # TODO: Wheren player needs to dice and check the box
if game.move_user_id == user.id and val:
print('Hier')
db.session.add(user)
db.session.commit()
response = jsonify(Message='success')
response.status_code = 201
# needed ???
emit('reload_game', game.to_dict(), room=gid, namespace='/game')
return response
else:
response = jsonify(Message="Request must include userstate")
response.status_code = 400
return response
def _to_br(self, text):
""" Replaces \n by <br />
Inspired from http://jinja.pocoo.org/docs/dev/api/#custom-filters
"""
result = '<br />'.join(p for p in self._TEXT_LINEBREAK_RE.split(escape(text)))
return Markup(result)
def do_replace(eval_ctx, s, old, new, count=None):
"""Return a copy of the value with all occurrences of a substring
replaced with a new one. The first argument is the substring
that should be replaced, the second is the replacement string.
If the optional third argument ``count`` is given, only the first
``count`` occurrences are replaced:
.. sourcecode:: jinja
{{ "Hello World"|replace("Hello", "Goodbye") }}
-> Goodbye World
{{ "aaaaargh"|replace("a", "d'oh, ", 2) }}
-> d'oh, d'oh, aaargh
"""
if count is None:
count = -1
if not eval_ctx.autoescape:
return text_type(s).replace(text_type(old), text_type(new), count)
if hasattr(old, '__html__') or hasattr(new, '__html__') and \
not hasattr(s, '__html__'):
s = escape(s)
else:
s = soft_unicode(s)
return s.replace(soft_unicode(old), soft_unicode(new), count)
def _send_mail(self, maybe_mistake=False):
"""
Send mail
:return: boolean
"""
if len(self.content) == 0:
logger.info('none content for send mail')
return True
if maybe_mistake:
title = '〔GSIL〕MB_MT '
else:
title = '〔GSIL〕'
subject = f'{title}[{self.rule_object.types}] [{self.rule_object.corp}] {len(self.content)}'
to = get('mail', 'to')
cc = get('mail', 'cc')
html = '<h3>Rule: {rule_regex} Count: {count} Datetime: {datetime}</h3>'.format(
rule_regex=self.rule_object.keyword,
datetime=time.strftime("%Y-%m-%d %H:%M:%S"),
count=len(self.content))
for i, v in self.content.items():
html += '<h3>({i})<a href="{url}">{hash}</a> {repository}/{path}</h3>'.format(
i=i,
url=v['url'],
hash=v['hash'][:6],
repository=v['repository'],
path=v['path'])
if len(v['match_codes']) > 0:
code = ''
for c in v['match_codes']:
code += '{c}<br>'.format(c=utils.escape(c))
html += '<code>{code}</code><hr>'.format(code=code)
self._save_file(v['hash'], v['code'])
html += '</table></body>'
return Notification(subject, to, cc).notification(html)
def empty_and_escape(value):
''' returns '' for a None value else escapes the content useful for form
elements. '''
if value is None:
return ''
else:
return escape(value)
def do_join(environment, value, d=u''):
"""Return a string which is the concatenation of the strings in the
sequence. The separator between elements is an empty string per
default, you can define it with the optional parameter:
.. sourcecode:: jinja
{{ [1, 2, 3]|join('|') }}
-> 1|2|3
{{ [1, 2, 3]|join }}
-> 123
"""
# no automatic escaping? joining is a lot eaiser then
if not environment.autoescape:
return unicode(d).join(imap(unicode, value))
# if the delimiter doesn't have an html representation we check
# if any of the items has. If yes we do a coercion to Markup
if not hasattr(d, '__html__'):
value = list(value)
do_escape = False
for idx, item in enumerate(value):
if hasattr(item, '__html__'):
do_escape = True
else:
value[idx] = unicode(item)
if do_escape:
d = escape(d)
else:
d = unicode(d)
return d.join(value)
# no html involved, to normal joining
return soft_unicode(d).join(imap(soft_unicode, value))
def get_context(context):
context.no_cache = 1
if frappe.form_dict.q:
frappe.form_dict.q = str(utils.escape(frappe.form_dict.q))
context.title = _('Search Results for "{0}"').format(frappe.form_dict.q)
context.update(get_search_results(frappe.form_dict.q))
else:
context.title = _('Search')
def test_xss(self):
app = self.get_app()
app.name = u"My app é <script>alert(5)</script>"
app.save()
self.make_mine()
content = smart_unicode(self.client.get(self.url).content)
ok_(not unicode(app.name) in content)
ok_(unicode(escape(app.name)) in content)
def test_markup_leaks(self):
counts = set()
for count in range(20):
for item in range(1000):
escape("foo")
escape("<foo>")
escape(u"foo")
escape(u"<foo>")
counts.add(len(gc.get_objects()))
assert len(counts) == 1, 'ouch, c extension seems to leak objects'
def test_markup_leaks(self):
counts = set()
for count in xrange(20):
for item in xrange(1000):
escape('foo')
escape('<foo>')
escape(u'foo')
escape(u'<foo>')
counts.add(len(gc.get_objects()))
def do_escape(value, except_starts_with=None):
if except_starts_with is not None:
condition = lambda l: any(l.startswith(s) for s in except_starts_with)
else:
condition = lambda l: False
return "\n".join(
line if line == "" or condition(line) else escape(line)
for line in value.split("\n")
)
def add_entry():
if not session.get('logged_in'):
abort(401)
g.db.execute('insert into entries (username,title, text) values (?, ?, ?)',
[session.get('username'), request.form['title'], str(utils.escape(request.form['text']))])
g.db.commit()
flash('Nowa wiadomość została dodana.')
session['info'] = None
return redirect(url_for('show_entries'))
