def app_view_manifest(request, addon): if addon.is_packaged: version = addon.versions.latest() content = json.dumps(json.loads(_mini_manifest(addon, version.id)), indent=4) return escape_all({'content': content, 'headers': ''}) else: # Show the hosted manifest_url. content, headers = u'', {} if addon.manifest_url: try: req = requests.get(addon.manifest_url, verify=False) content, headers = req.content, req.headers except Exception: content = u''.join(traceback.format_exception(*sys.exc_info())) try: # Reindent the JSON. content = json.dumps(json.loads(content), indent=4) except: # If it's not valid JSON, just return the content as is. pass return escape_all({ 'content': smart_decode(content), 'headers': headers })
def app_view_manifest(request, addon): if addon.is_packaged: version = addon.versions.latest() content = json.dumps(json.loads(_mini_manifest(addon, version.id)), indent=4) return escape_all({'content': content, 'headers': '', 'success': True}) else: # Show the hosted manifest_url. content, headers, success = u'', {}, False if addon.manifest_url: try: req = requests.get(addon.manifest_url, verify=False) content, headers = req.content, req.headers success = True except Exception: content = u''.join(traceback.format_exception(*sys.exc_info())) try: # Reindent the JSON. content = json.dumps(json.loads(content), indent=4) except: # If it's not valid JSON, just return the content as is. pass return escape_all({'content': smart_decode(content), 'headers': headers, 'success': success})
def test_escape_all_linkify_only_full(mock_get_outgoing_url): mock_get_outgoing_url.return_value = 'http://outgoing.firefox.com' eq_(escape_all('http://firefox.com', linkify_only_full=True), '<a href="http://outgoing.firefox.com">http://firefox.com</a>') eq_(escape_all('http://firefox.com', linkify_only_full=False), '<a href="http://outgoing.firefox.com">http://firefox.com</a>') eq_(escape_all('firefox.com', linkify_only_full=True), 'firefox.com') eq_(escape_all('firefox.com', linkify_only_full=False), '<a href="http://outgoing.firefox.com">firefox.com</a>')
def ajax(request): """Query for a user matching a given email.""" if 'q' not in request.GET: raise http.Http404() data = {'status': 0, 'message': ''} email = request.GET.get('q', '').strip() dev_only = request.GET.get('dev', '1') try: dev_only = int(dev_only) except ValueError: dev_only = 1 dev_only = dev_only and settings.MARKETPLACE if not email: data.update(message=_('An email address is required.')) return data user = UserProfile.objects.filter(email=email) if dev_only: user = user.exclude(read_dev_agreement=None) msg = _('A user with that email address does not exist.') msg_dev = _('A user with that email address does not exist, or the user ' 'has not yet accepted the developer agreement.') if user: data.update(status=1, id=user[0].id, name=user[0].name) else: data['message'] = msg_dev if dev_only else msg return escape_all(data)
def app_view_manifest(request, addon): manifest = {} success = False headers = '' if addon.is_packaged: manifest = _get_manifest_json(addon) content = json.dumps(manifest, indent=4) success = True else: # Show the hosted manifest_url. content, headers = u'', {} if addon.manifest_url: try: req = requests.get(addon.manifest_url, verify=False) content, headers = req.content, req.headers success = True except Exception: content = u''.join(traceback.format_exception(*sys.exc_info())) else: success = True try: # Reindent the JSON. manifest = json.loads(content) content = json.dumps(manifest, indent=4) except: # If it's not valid JSON, just return the content as is. pass return escape_all({'content': smart_decode(content), 'headers': dict(headers), 'success': success, 'permissions': _get_permissions(manifest)})
def make_validation_result(data, is_compatibility=False): """Safe wrapper around JSON dict containing a validation result. Keyword Arguments **is_compatibility=False** When True, errors will be summarized as if they were in a regular validation result. """ if not settings.EXPOSE_VALIDATOR_TRACEBACKS: if data['error']: # Just expose the message, not the traceback data['error'] = data['error'].strip().split('\n')[-1].strip() if data['validation']: ending_tier = 0 for msg in data['validation']['messages']: if msg['tier'] > ending_tier: ending_tier = msg['tier'] if msg['tier'] == 0: # We can't display a message if it's on tier 0. # Should get fixed soon in bug 617481 msg['tier'] = 1 for k, v in msg.items(): msg[k] = escape_all(v) if is_compatibility: compat = data['validation']['compatibility_summary'] for k in ('errors', 'warnings', 'notices'): data['validation'][k] = compat[k] for msg in data['validation']['messages']: if msg['compatibility_type']: msg['type'] = msg['compatibility_type'] data['validation']['ending_tier'] = ending_tier return data
def app_view_manifest(request, addon): manifest = {} success = False headers = '' if addon.is_packaged: manifest = _get_manifest_json(addon) content = json.dumps(manifest, indent=4) success = True else: # Show the hosted manifest_url. content, headers = u'', {} if addon.manifest_url: try: req = requests.get(addon.manifest_url, verify=False) content, headers = req.content, req.headers success = True except Exception: content = u''.join(traceback.format_exception(*sys.exc_info())) else: success = True try: # Reindent the JSON. manifest = json.loads(content) content = json.dumps(manifest, indent=4) except: # If it's not valid JSON, just return the content as is. pass return escape_all({ 'content': smart_decode(content), 'headers': dict(headers), 'success': success, 'permissions': _get_permissions(manifest) })
def ajax(request): """Query for a user matching a given email.""" if 'q' not in request.GET: raise http.Http404() data = {'status': 0, 'message': ''} email = request.GET.get('q', '').strip() dev_only = request.GET.get('dev', '1') try: dev_only = int(dev_only) except ValueError: dev_only = 1 if not email: data.update(message=_('An email address is required.')) return data user = UserProfile.objects.filter(email=email) if dev_only: user = user.exclude(read_dev_agreement=None) msg = _('A user with that email address does not exist.') msg_dev = _('A user with that email address does not exist, or the user ' 'has not yet accepted the developer agreement.') if user: data.update(status=1, id=user[0].id, name=user[0].name) else: data['message'] = msg_dev if dev_only else msg return escape_all(data)
def ajax(request): """Query for a user matching a given email.""" if "q" not in request.GET: raise http.Http404() data = {"status": 0, "message": ""} email = request.GET.get("q", "").strip() dev_only = request.GET.get("dev", "1") try: dev_only = int(dev_only) except ValueError: dev_only = 1 dev_only = dev_only and settings.MARKETPLACE if not email: data.update(message=_("An email address is required.")) return data user = UserProfile.objects.filter(email=email) if dev_only: user = user.exclude(read_dev_agreement=None) msg = _("A user with that email address does not exist.") msg_dev = _( "A user with that email address does not exist, or the user " "has not yet accepted the developer agreement." ) if user: data.update(status=1, id=user[0].id, name=user[0].name) else: data["message"] = msg_dev if dev_only else msg return escape_all(data)
def make_validation_result(data): """Safe wrapper around JSON dict containing a validation result.""" if not settings.EXPOSE_VALIDATOR_TRACEBACKS: if data['error']: # Just expose the message, not the traceback. data['error'] = data['error'].strip().split('\n')[-1].strip() if data['validation']: for msg in data['validation']['messages']: for k, v in msg.items(): msg[k] = escape_all(v, linkify=k in ('message', 'description')) return data
def test_nested(self): value = '<script>alert("BALL SO HARD")</script>' expected = '<script>alert("BALL SO HARD")</script>' test = {"string": value, "dict": {"x": value}, "list": [value], "bool": True} res = escape_all(test) eq_(res["string"], expected) eq_(res["dict"], {"x": expected}) eq_(res["list"], [expected]) eq_(res["bool"], True)
def test_without_linkify(self): value = "<button>http://firefox.com</button>" expected = "<button>http://firefox.com</button>" test = {"string": value, "dict": {"x": value}, "list": [value], "bool": True} res = escape_all(test, linkify=False) eq_(res["string"], expected) eq_(res["dict"], {"x": expected}) eq_(res["list"], [expected]) eq_(res["bool"], True)
def make_validation_result(data): """Safe wrapper around JSON dict containing a validation result.""" if not settings.EXPOSE_VALIDATOR_TRACEBACKS: if data['error']: # Just expose the message, not the traceback. data['error'] = data['error'].strip().split('\n')[-1].strip() if data['validation']: for msg in data['validation']['messages']: for k, v in msg.items(): msg[k] = escape_all(v) return data
def make_validation_result(data): """Safe wrapper around JSON dict containing a validation result.""" if not settings.EXPOSE_VALIDATOR_TRACEBACKS: if data["error"]: # Just expose the message, not the traceback. data["error"] = data["error"].strip().split("\n")[-1].strip() if data["validation"]: for msg in data["validation"]["messages"]: for k, v in msg.items(): msg[k] = escape_all(v, linkify=k in ("message", "description")) return data
def escape_validation(validation): ending_tier = validation.get('ending_tier', 0) for msg in validation.get('messages', []): tier = msg.get('tier', -1) # Use -1 so we know it isn't 0. if tier > ending_tier: ending_tier = tier if tier == 0: # We can't display a message if it's on tier 0. # Should get fixed soon in bug 617481 msg['tier'] = 1 validation['ending_tier'] = ending_tier return escape_all(validation, linkify_only_full=True)
def app_view_manifest(request, addon): content, headers = u'', {} if addon.manifest_url: try: req = requests.get(addon.manifest_url, verify=False) content, headers = req.content, req.headers except Exception: content = u''.join(traceback.format_exception(*sys.exc_info())) try: # Reindent the JSON. content = json.dumps(json.loads(content), indent=4) except: # If it's not valid JSON, just return the content as is. pass return escape_all({'content': smart_decode(content), 'headers': headers})
def test_without_linkify(self): value = '<button>http://firefox.com</button>' expected = '<button>http://firefox.com</button>' test = { 'string': value, 'dict': {'x': value}, 'list': [value], 'bool': True, } res = escape_all(test, linkify=False) eq_(res['string'], expected) eq_(res['dict'], {'x': expected}) eq_(res['list'], [expected]) eq_(res['bool'], True)
def test_nested(self): value = '<script>alert("BALL SO HARD")</script>' expected = '<script>alert("BALL SO HARD")</script>' test = { 'string': value, 'dict': {'x': value}, 'list': [value], 'bool': True, } res = escape_all(test) eq_(res['string'], expected) eq_(res['dict'], {'x': expected}) eq_(res['list'], [expected]) eq_(res['bool'], True)
def app_view_manifest(request, addon): headers = {} manifest = {} success = False if addon.is_packaged: manifest = _get_manifest_json(addon) content = json.dumps(manifest, indent=4) success = True else: # Show the hosted manifest_url. content, headers = u'', {} if addon.manifest_url: try: req = requests.get( addon.manifest_url, verify=False, headers={'User-Agent': settings.MARKETPLACE_USER_AGENT}) content, headers = req.content, req.headers success = True except Exception: content = u''.join(traceback.format_exception(*sys.exc_info())) else: success = True try: # Reindent the JSON. manifest = json.loads(content) content = json.dumps(manifest, indent=4) except: # If it's not valid JSON, just return the content as is. pass return { 'content': jinja2.escape(smart_decode(content)), 'headers': dict((jinja2.escape(k), jinja2.escape(v)) for k, v in headers.items()), 'success': success, # Note: We're using `escape_all` on the values here since we know the # keys of the nested dict don't come from user input (manifest) and are # known safe. 'permissions': dict((jinja2.escape(k), escape_all(v)) for k, v in _get_permissions(manifest).items()) }
def test_basics(self): x = "-".join([u, u]) y = " - ".join([u, u]) tests = [ ('<script>alert("BALL SO HARD")</script>', '<script>alert("BALL SO HARD")</script>'), (u"Bän...g (bang)", u"Bän...g (bang)"), (u, u), (x, x), (y, y), (u"x荿", u"x\u837f"), (u"ϧ蒬蓣", u"\u03e7\u0383\u84ac\u84e3"), (u"¿x", u"¿x"), ] for val, expected in tests: eq_(escape_all(val), expected)
def test_without_linkify(self): value = '<button>http://firefox.com</button>' expected = '<button>http://firefox.com</button>' test = { 'string': value, 'dict': { 'x': value }, 'list': [value], 'bool': True, } res = escape_all(test, linkify=False) eq_(res['string'], expected) eq_(res['dict'], {'x': expected}) eq_(res['list'], [expected]) eq_(res['bool'], True)
def test_basics(self): x = '-'.join([u, u]) y = ' - '.join([u, u]) tests = [ ('<script>alert("BALL SO HARD")</script>', '<script>alert("BALL SO HARD")</script>'), (u'Bän...g (bang)', u'Bän...g (bang)'), (u, u), (x, x), (y, y), (u'x荿', u'x\u837f'), (u'ϧ蒬蓣', u'\u03e7\u0383\u84ac\u84e3'), (u'¿x', u'¿x'), ] for val, expected in tests: eq_(escape_all(val), expected)
def test_nested(self): value = '<script>alert("BALL SO HARD")</script>' expected = '<script>alert("BALL SO HARD")</script>' test = { 'string': value, 'dict': { 'x': value }, 'list': [value], 'bool': True, } res = escape_all(test) eq_(res['string'], expected) eq_(res['dict'], {'x': expected}) eq_(res['list'], [expected]) eq_(res['bool'], True)
def ajax(request): """Query for a user matching a given email.""" if 'q' not in request.GET: raise http.Http404() data = {'status': 0, 'message': ''} email = request.GET.get('q', '').strip() if not email: data.update(message=_('An email address is required.')) return data u = UserProfile.objects.filter(email=email) if u: data.update(status=1, id=u[0].id, name=u[0].name) else: data['message'] = _('A user with that email address does not exist.') return escape_all(data)
@permission_required('Apps', 'Review') @addon_view @json_view def app_view_manifest(request, addon): content, headers = '', {} if addon.manifest_url: try: req = requests.get(addon.manifest_url) content, headers = req.content, req.headers except Exception, e: content = e try: # Reindent the JSON. content = json.dumps(json.loads(content), indent=4) except: # If it's not valid JSON, just return the content as is. pass return escape_all({'content': content, 'headers': headers}) @permission_required('Apps', 'Review') @addon_view def app_abuse(request, addon): reports = AbuseReport.objects.filter(addon=addon).order_by('-created') total = reports.count() reports = amo.utils.paginate(request, reports, count=total) return jingo.render(request, 'reviewers/abuse.html', context(addon=addon, reports=reports, total=total))
def check(x, y): eq_(escape_all(x), y)