def ajax(request):
"""Query for a user matching a given email."""
if 'q' not in request.GET:
raise http.Http404()
data = {'status': 0, 'message': ''}
email = request.GET.get('q', '').strip()
dev_only = request.GET.get('dev', '1')
try:
dev_only = int(dev_only)
except ValueError:
dev_only = 1
if not email:
data.update(message=_('An email address is required.'))
return data
user = UserProfile.objects.filter(email=email)
if dev_only:
user = user.exclude(read_dev_agreement=None)
msg = _('A user with that email address does not exist.')
msg_dev = _('A user with that email address does not exist, or the user '
'has not yet accepted the developer agreement.')
if user:
data.update(status=1, id=user[0].id, name=user[0].name)
else:
data['message'] = msg_dev if dev_only else msg
return escape_all(data)
def ajax(request):
"""Query for a user matching a given email."""
if "q" not in request.GET:
raise http.Http404()
data = {"status": 0, "message": ""}
email = request.GET.get("q", "").strip()
dev_only = request.GET.get("dev", "1")
try:
dev_only = int(dev_only)
except ValueError:
dev_only = 1
if not email:
data.update(message=_("An email address is required."))
return data
user = UserProfile.objects.filter(email=email)
if dev_only:
user = user.exclude(read_dev_agreement=None)
msg = _("A user with that email address does not exist.")
msg_dev = _(
"A user with that email address does not exist, or the user " "has not yet accepted the developer agreement."
)
if user:
data.update(status=1, id=user[0].id, name=user[0].name)
else:
data["message"] = msg_dev if dev_only else msg
return escape_all(data)
def make_validation_result(data):
"""Safe wrapper around JSON dict containing a validation result."""
if not settings.EXPOSE_VALIDATOR_TRACEBACKS:
if data['error']:
data['error'] = _('An error occurred validating the manifest.')
if data['validation']:
for msg in data['validation']['messages']:
for k, v in msg.items():
msg[k] = escape_all(v, linkify=k in ('message', 'description'))
return data
def make_validation_result(data):
"""Safe wrapper around JSON dict containing a validation result."""
if not settings.EXPOSE_VALIDATOR_TRACEBACKS:
if data["error"]:
data["error"] = _("An error occurred validating the manifest.")
if data["validation"]:
for msg in data["validation"]["messages"]:
for k, v in msg.items():
msg[k] = escape_all(v, linkify=k in ("message", "description"))
return data
def make_validation_result(data):
"""Safe wrapper around JSON dict containing a validation result."""
if not settings.EXPOSE_VALIDATOR_TRACEBACKS:
if data['error']:
data['error'] = _('An error occurred validating the manifest.')
if data['validation']:
for msg in data['validation']['messages']:
for k, v in msg.items():
msg[k] = escape_all(v, linkify=k in ('message', 'description'))
return data
def make_validation_result(data):
"""Safe wrapper around JSON dict containing a validation result."""
if not settings.EXPOSE_VALIDATOR_TRACEBACKS:
if data['error']:
# Just expose the message, not the traceback.
data['error'] = data['error'].strip().split('\n')[-1].strip()
if data['validation']:
for msg in data['validation']['messages']:
for k, v in msg.items():
msg[k] = escape_all(v, linkify=k in ('message', 'description'))
return data
def test_nested(self):
value = '<script>alert("BALL SO HARD")</script>'
expected = '<script>alert("BALL SO HARD")</script>'
test = {"string": value, "dict": {"x": value}, "list": [value], "bool": True}
res = escape_all(test)
eq_(res["string"], expected)
eq_(res["dict"], {"x": expected})
eq_(res["list"], [expected])
eq_(res["bool"], True)
def test_without_linkify(self):
value = "<button>http://firefox.com</button>"
expected = "<button>http://firefox.com</button>"
test = {"string": value, "dict": {"x": value}, "list": [value], "bool": True}
res = escape_all(test, linkify=False)
eq_(res["string"], expected)
eq_(res["dict"], {"x": expected})
eq_(res["list"], [expected])
eq_(res["bool"], True)
def test_without_linkify(self):
value = '<button>http://firefox.com</button>'
expected = '<button>http://firefox.com</button>'
test = {
'string': value,
'dict': {'x': value},
'list': [value],
'bool': True,
}
res = escape_all(test, linkify=False)
eq_(res['string'], expected)
eq_(res['dict'], {'x': expected})
eq_(res['list'], [expected])
eq_(res['bool'], True)
def test_nested(self):
value = '<script>alert("BALL SO HARD")</script>'
expected = '<script>alert("BALL SO HARD")</script>'
test = {
'string': value,
'dict': {'x': value},
'list': [value],
'bool': True,
}
res = escape_all(test)
eq_(res['string'], expected)
eq_(res['dict'], {'x': expected})
eq_(res['list'], [expected])
eq_(res['bool'], True)
def app_view_manifest(request, addon):
headers = {}
manifest = {}
success = False
if addon.is_packaged:
manifest = _get_manifest_json(addon)
content = json.dumps(manifest, indent=4)
success = True
else: # Show the hosted manifest_url.
content, headers = u'', {}
if addon.manifest_url:
try:
req = requests.get(
addon.manifest_url,
verify=False,
headers={'User-Agent': settings.MARKETPLACE_USER_AGENT})
content, headers = req.content, req.headers
success = True
except Exception:
content = u''.join(traceback.format_exception(*sys.exc_info()))
else:
success = True
try:
# Reindent the JSON.
manifest = json.loads(content)
content = json.dumps(manifest, indent=4)
except:
# If it's not valid JSON, just return the content as is.
pass
return {
'content':
jinja2.escape(smart_decode(content)),
'headers':
dict((jinja2.escape(k), jinja2.escape(v)) for k, v in headers.items()),
'success':
success,
# Note: We're using `escape_all` on the values here since we know the
# keys of the nested dict don't come from user input (manifest) and are
# known safe.
'permissions':
dict((jinja2.escape(k), escape_all(v))
for k, v in _get_permissions(manifest).items())
}
def test_basics(self):
x = "-".join([u, u])
y = " - ".join([u, u])
tests = [
('<script>alert("BALL SO HARD")</script>', '<script>alert("BALL SO HARD")</script>'),
(u"Bän...g (bang)", u"Bän...g (bang)"),
(u, u),
(x, x),
(y, y),
(u"x荿", u"x\u837f"),
(u"ϧ蒬蓣", u"\u03e7\u0383\u84ac\u84e3"),
(u"¿x", u"¿x"),
]
for val, expected in tests:
eq_(escape_all(val), expected)
def test_without_linkify(self):
value = '<button>http://firefox.com</button>'
expected = '<button>http://firefox.com</button>'
test = {
'string': value,
'dict': {
'x': value
},
'list': [value],
'bool': True,
}
res = escape_all(test, linkify=False)
eq_(res['string'], expected)
eq_(res['dict'], {'x': expected})
eq_(res['list'], [expected])
eq_(res['bool'], True)
def test_nested(self):
value = '<script>alert("BALL SO HARD")</script>'
expected = '<script>alert("BALL SO HARD")</script>'
test = {
'string': value,
'dict': {
'x': value
},
'list': [value],
'bool': True,
}
res = escape_all(test)
eq_(res['string'], expected)
eq_(res['dict'], {'x': expected})
eq_(res['list'], [expected])
eq_(res['bool'], True)
def test_basics(self):
x = '-'.join([u, u])
y = ' - '.join([u, u])
tests = [
('<script>alert("BALL SO HARD")</script>',
'<script>alert("BALL SO HARD")</script>'),
(u'Bän...g (bang)', u'Bän...g (bang)'),
(u, u),
(x, x),
(y, y),
(u'x荿', u'x\u837f'),
(u'ϧ蒬蓣', u'\u03e7\u0383\u84ac\u84e3'),
(u'¿x', u'¿x'),
]
for val, expected in tests:
eq_(escape_all(val), expected)
def test_basics(self):
x = '-'.join([u, u])
y = ' - '.join([u, u])
tests = [
('<script>alert("BALL SO HARD")</script>',
'<script>alert("BALL SO HARD")</script>'),
(u'Bän...g (bang)', u'Bän...g (bang)'),
(u, u),
(x, x),
(y, y),
(u'x荿', u'x\u837f'),
(u'ϧ蒬蓣', u'\u03e7\u0383\u84ac\u84e3'),
(u'¿x', u'¿x'),
]
for val, expected in tests:
eq_(escape_all(val), expected)
def app_view_manifest(request, addon):
headers = {}
manifest = {}
success = False
if addon.is_packaged:
manifest = _get_manifest_json(addon)
content = json.dumps(manifest, indent=4)
success = True
else: # Show the hosted manifest_url.
content, headers = u'', {}
if addon.manifest_url:
try:
req = requests.get(
addon.manifest_url, verify=False,
headers={'User-Agent': settings.MARKETPLACE_USER_AGENT})
content, headers = req.content, req.headers
success = True
except Exception:
content = u''.join(traceback.format_exception(*sys.exc_info()))
else:
success = True
try:
# Reindent the JSON.
manifest = json.loads(content)
content = json.dumps(manifest, indent=4)
except:
# If it's not valid JSON, just return the content as is.
pass
return {
'content': jinja2.escape(smart_decode(content)),
'headers': dict((jinja2.escape(k), jinja2.escape(v))
for k, v in headers.items()),
'success': success,
# Note: We're using `escape_all` on the values here since we know the
# keys of the nested dict don't come from user input (manifest) and are
# known safe.
'permissions': dict((jinja2.escape(k), escape_all(v))
for k, v in _get_permissions(manifest).items())
}