def _sanitize(params, level, doNotSanitize=[]):
for i in params:
if i in doNotSanitize:
continue
if isinstance(params, dict):
param = params[i]
else:
param = i
if isinstance(param, str):
res = restrictedHTML(param, level)
if res is not None:
raise HtmlForbiddenTag(res)
elif isinstance(param, list) or isinstance(param, dict):
Sanitization._sanitize(param, level)
def _sanitize(params, level, doNotSanitize=[]):
for i in params:
if i in doNotSanitize:
continue
if isinstance(params, dict):
param = params[i]
else:
param = i
if isinstance(param, str):
res = restrictedHTML(param, level)
if res is not None:
raise HtmlForbiddenTag(res)
elif isinstance(param, list) or isinstance(param, dict):
Sanitization._sanitize(param, level)
def sanitizationCheck(target, params, accessWrapper):
# first make sure all params are utf-8
for param in params.keys():
if isinstance(params[param], str) and params[param] != "":
params[param] = encodeUnicode(params[param])
if params[param] == "":
raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str) and item != "":
params[param][i] = encodeUnicode(item)
if params[param][i] == "":
raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")
# then check the security level of data sent to the server
# if no user logged in, then no html allowed
if accessWrapper.getUser():
level = Config.getInstance().getSanitizationLevel()
elif target and hasattr(target, "canModify") and target.canModify(accessWrapper):
# not logged user, but use a modification key
level = Config.getInstance().getSanitizationLevel()
else:
level = 0
if level not in range(4):
level = 1
if level == 0:
#Escape all HTML tags
for param in params.keys():
if isinstance(params[param], str):
#the params is a string
params[param] = escape_html(params[param])
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str):
params[param][i] = escape_html(item)
# raise error if form or iframe tags are used
elif level == 1:
#level 1 or default
#raise error if script or style detected
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param])
if not restrictedHTML(params[param]):
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item)
if ret:
raise htmlScriptError(item)
if not restrictedHTML(item):
raise htmlForbiddenTag(item)
if ret:
raise htmlScriptError(params[param])
elif level == 2:
#raise error if script but style accepted
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param], allowStyle=True)
if ret:
raise htmlScriptError(params[param])
ret = restrictedHTML(params[param])
if not ret:
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item, allowStyle=True)
if ret:
raise htmlScriptError(item)
ret = restrictedHTML(item)
if not ret:
raise htmlForbiddenTag(item)
elif level == 3:
# Absolutely no checks
return
def sanitizationCheck(target, params, accessWrapper):
# first make sure all params are utf-8
for param in params.keys():
if isinstance(params[param], str) and params[param] != "":
params[param] = encodeUnicode(params[param])
if params[param] == "":
raise MaKaCError(
"Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"
)
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str) and item != "":
params[param][i] = encodeUnicode(item)
if params[param][i] == "":
raise MaKaCError(
"Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"
)
# then check the security level of data sent to the server
# if no user logged in, then no html allowed
if accessWrapper.getUser():
level = Config.getInstance().getSanitizationLevel()
elif target and hasattr(target,
"canModify") and target.canModify(accessWrapper):
# not logged user, but use a modification key
level = Config.getInstance().getSanitizationLevel()
else:
level = 0
if level not in range(4):
level = 1
if level == 0:
#Escape all HTML tags
for param in params.keys():
if isinstance(params[param], str):
#the params is a string
params[param] = escape_html(params[param])
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str):
params[param][i] = escape_html(item)
# raise error if form or iframe tags are used
elif level == 1:
#level 1 or default
#raise error if script or style detected
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param])
if not restrictedHTML(params[param]):
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item)
if ret:
raise htmlScriptError(item)
if not restrictedHTML(item):
raise htmlForbiddenTag(item)
if ret:
raise htmlScriptError(params[param])
elif level == 2:
#raise error if script but style accepted
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param], allowStyle=True)
if ret:
raise htmlScriptError(params[param])
ret = restrictedHTML(params[param])
if not ret:
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item, allowStyle=True)
if ret:
raise htmlScriptError(item)
ret = restrictedHTML(item)
if not ret:
raise htmlForbiddenTag(item)
elif level == 3:
# Absolutely no checks
return
