def get_content(cls, abspath, start=None, end=None):
relative_path = abspath.replace(os.getcwd(), '') + '/'
if os.path.isdir(abspath):
html = '<html><title>Directory listing for %s</title><body><h2>Directory listing for %s</h2><hr><ul>' % (relative_path, relative_path)
for file in os.listdir(abspath):
filename = file
if os.path.isdir(file):
filename += '/'
html += '<li><a href="%s">%s</a>' % (xhtml_escape(filename), xhtml_escape(filename))
return html + '</ul><hr>'
if os.path.splitext(abspath)[1] == '.md':
try:
import codecs
import markdown
input_file = codecs.open(abspath, mode='r', encoding='utf-8')
text = input_file.read()
return markdown.markdown(text)
except:
pass
return super(DirectoryHandler, cls).get_content(abspath, start=start, end=end)
def post_argv(self, post= None):
if post: # title
if 'title_seo' in post['post']:
title_seo = escape.xhtml_escape(post['post']['title_seo'])
else:
title_seo = ''
if 'title' in post['post']:
title = escape.xhtml_escape("%s (%s)" % (post['post']['title'], post['post']['year']))
else:
title = ""
# poster
if 'poster' in post['post']:
poster = escape.xhtml_escape(post['post']['poster'])
else:
poster = ""
###
argv = {
"id" : str(post['_id']),
"title" : title,
"subtitle" : escape.xhtml_escape(post['post']['subtitle']),
"poster" : poster,
"link" : "%s/%s/%s/%s.html" % (self.site.domain_root, self.module['setting']['server']['page_view'], post['_id'], title_seo),
}
else:
argv = {
"id" : '{{ id }}',
"title" : '{{ title }}',
"subtitle" : '{{ subtitle }}',
"poster" : '{{ poster }}',
"link" : '{{ link }}'
}
return argv
def post(self):
"""
POST the required parameters to register a TestBox env
* `hostname`
"""
hostname = xhtml_escape(self.get_argument('hostname'))
password = xhtml_escape(self.get_argument('password'))
box_ip = self.request.remote_ip
try:
testbox = yield self.testbox_find(
hostname=hostname,
password=password
)
testbox.hostname = hostname
testbox.password = password
testbox.box_ip = box_ip
testbox.pubkey = self.application.pubkey_content
testbox.updated_at = datetime.now()
except ValueError:
testbox = TestBox(
hostname=hostname,
password=password,
box_ip=box_ip,
pubkey=self.application.pubkey_content,
created_at=datetime.now()
)
res = yield testbox.save()
print(res)
self.set_status(201)
self.success(res.to_son())
def tags_link(self):
tags = self.tags
if not tags:
return ''
links = ['<a href="%s" title="%s" class="tag">%s</a>' % (
tag.permalink, xhtml_escape(tag.title), xhtml_escape(tag.title)) for tag in tags]
return ','.join(links)
def post(self):
initial = "(.*%s.*)" % (self.get_argument('search_string'))
for match in SEARCH.find({"search": { '$regex': initial}}):
response = """
<li class="list-group-item"><a onClick="a_onClick(\'%s\')">%s</a></li>
""" % (esc.xhtml_escape(match["search"]), esc.xhtml_escape(match["search"]))
self.write(response)
def post(self):
id = self.get_argument("id", None)
title = xhtml_escape(self.get_argument("title"))
tep = self.get_argument("info")
code = xhtml_escape(self.get_argument("code"))
pswd = self.get_argument("password")
check = self.get_argument("check", None)
if check != "1984":
self.redirect("/newcode")
return
info = md.convert(tep)
password = hexuserpass(pswd)
slug = "zzzzzzzz"
self.db.execute(
"INSERT INTO entries (password,title,slug,code,info,markdown," "published) VALUES (%s,%s,%s,%s,%s,%s,%s)",
password,
title,
slug,
code,
info,
tep,
datetime.datetime.now(),
)
e = self.db.get("SELECT * FROM entries WHERE slug = %s", slug)
eid = e.id
slug = eid
self.db.execute("UPDATE entries SET slug = %s WHERE id = %s", slug, int(eid))
self.redirect("/" + str(slug))
def post(self):
"""Post connection form and try to connect with these credentials
"""
incorrect = self.get_secure_cookie('incorrect')
if not incorrect or int(incorrect) < 0:
incorrect = 0
elif int(incorrect) >= max_attemps:
logging.warning('an user is blocked')
self.clear_cookie('user')
self.render('blocked.html', blocked_duration=blocked_duration)
return
getusername = escape.xhtml_escape(self.get_argument('username'))
getpassword = escape.xhtml_escape(self.get_argument('password'))
if login == getusername and password == getpassword:
logging.info('right credentials')
self.set_secure_cookie('user', self.get_argument('username'), expires_days=1)
self.clear_cookie('incorrect')
self.redirect('/')
else:
logging.info('invalid credentials')
incorrect = int(incorrect) + 1
self.set_secure_cookie('incorrect', str(incorrect), expires_days=blocked_duration)
if incorrect >= max_attemps:
logging.warning('an user is now blocked')
self.clear_cookie('user')
self.render('blocked.html', blocked_duration=blocked_duration)
else:
self.render('login.html', failed=True)
def test_get_ag_details(self):
self.mock_login_admin()
# test if AGP data are rendered correctly
barcode = '000029153'
response = self.get('/barcode_util/', {'barcode': barcode})
self.assertEqual(response.code, 200)
self.assertIn('<h2>%s Details</h2>' % 'American Gut', response.body)
ag_details = db.getAGBarcodeDetails(barcode)
self.assertIn('<tr><td>Sample Date</td><td>%s</td></tr>'
% ag_details['sample_date'], response.body)
self.assertIn('<tr><td>Sample Time</td><td>%s</td></tr>'
% ag_details['sample_time'], response.body)
self.assertIn('<tr><td>Sample Site</td><td>%s</td></tr>'
% ag_details['site_sampled'], response.body)
self.assertIn('<label for="moldy"> moldy (current: %s) </label> <br />'
% ag_details['moldy'], response.body)
self.assertIn(('<label for="overloaded"> overloaded (current: %s) '
'</label> <br />') % ag_details['overloaded'],
response.body)
self.assertIn(('<label for="other"> other (current: %s) '
'</label> <br />') % ag_details['other'], response.body)
self.assertIn(('<textarea name="other_text" onclick="this.select()'
'">%s</textarea>') %
xhtml_escape(ag_details['other_text']),
response.body)
self.assertIn(('<label for="send_mail" style="display:block;">send kit'
' owner %s (%s) an email </label>')
% (xhtml_escape(ag_details['name']),
xhtml_escape(ag_details['email'])),
response.body)
def get(self, note_id):
template_values = {}
if len(note_id) < 8:
raise tornado.web.HTTPError(404)
note_id = decode(note_id)
notes = self.db.query(
"select title,note,rev_num,rev_user_name as name,rev_user_domain as domain"
", revdate from fd_NoteHistory where note_id = %s and rev_status = 0"
" order by rev_num desc", note_id)
if not notes:
raise tornado.web.HTTPError(404)
for i in range(len(notes)):
next_note = {}
if i == len(notes)-1:
next_note['title'] = ''
next_note['note'] = ''
else:
next_note['title'] = notes[i+1].title
next_note['note'] = notes[i+1].note
notes[i].title = textdiff(xhtml_escape(next_note['title']), xhtml_escape(notes[i].title))
note1 = self.br(linkify(next_note['note'], extra_params="target='_blank' rel='nofollow'"))
note2 = self.br(linkify(notes[i].note, extra_params="target='_blank' rel='nofollow'"))
notes[i].note = self.at(textdiff(note1, note2))
notes[i]['rev'] = 0
if i == 0:
notes[i]['rev'] = 1
template_values['notes'] = notes
self.render("notehistory.html", template_values=template_values)
def _on_auth(self, user):
if not user:
self.get_error('/', '10', u'Google auth failed', SITE_NAME)
return
author = User().select(['uid', 'username', 'flag']).find_by_email(user["email"])
if not author:
if CHECK_REG == 1:
usermail = xhtml_escape(user["email"].strip())
username = xhtml_escape(usermail.split('@')[0])
userid = User().user_new_google(username, usermail, '1')
self.session['gnauid'] = userid
self.session['gnaname'] = username
self.session['gnaflag'] = '1'
self.session.save()
self.logaw('reg', u'注册(第一次登录)', '0', '0', '0', '0')
#记录日志(type,des,aid,cid,nid,puid)
self.redirect('/settings')
else:
self.get_error('/', '10', u'系统禁止注册', SITE_NAME)
else:
self.session['gnauid'] = author.uid
self.session['gnaname'] = author.username
self.session['gnaflag'] = author.flag
self.session.save()
self.logaw('login', u'登录', '0', '0', '0', '0')
#记录日志(type,des,aid,cid,nid,puid)
self.redirect(self.get_argument('next', '/'))
def test_get(self):
ag_login_id = '0077c686-b0ad-11f8-e050-8a800c5d1877'
self.mock_login_admin()
email = db.get_login_info(ag_login_id)[0]['email']
response = self.get('/ag_edit_participant/', {'email': email})
self.assertEqual(response.code, 200)
# check that all relevant user information is rendered on HTML side
login = db.get_login_by_email(email)
for key, value in login.items():
if not isinstance(key, unicode):
key = key.decode('utf-8')
if key == 'zip':
key = u'zipcode'
elif key == 'ag_login_id':
continue
if not isinstance(value, unicode):
value = value.decode('utf-8')
key = xhtml_escape(key.encode('utf-8'))
value = xhtml_escape(value.encode('utf-8'))
self.assertIn(('</td><td><input type="text" name="%s" id="%s" '
'value="%s"></td></tr>') % (key, key, value),
response.body)
# check what happens if user with email does not exist.
# TODO: we should create a better error message in the handler to be
# displayed, see issue: #115
response = self.get('/ag_edit_participant/?email=notInDB')
self.assertIn('AN ERROR HAS OCCURED!', response.body)
self.assertEqual(response.code, 500)
# TODO: similarly if no email, i.e. user, is given. Issue: #115
response = self.get('/ag_edit_participant/?email=')
self.assertIn('AN ERROR HAS OCCURED!', response.body)
self.assertEqual(response.code, 500)
def post(self):
email = xhtml_escape(self.get_argument("email"))
password = xhtml_escape(self.get_argument("password"))
pool = ThreadPool(processes=1)
pool.apply_async(self.__checkLogin, args=(email, password), callback=self.__onfinish)
pool.close()
def block_code(self, code, language):
# Don't forget about escaping
code = ignore_trailing_newlines(xhtml_escape(code))
if language:
language = xhtml_escape(language)
klass = ' class="language-{0}"'.format(language)
else:
klass = ""
return "<pre><code{0}>{1}</code></pre>\n".format(klass, code)
def get_netinfo(self):
addr = xhtml_escape(common.shell('ip addr'))
routing = xhtml_escape('\n'.join(common.shell('route -n').split("\n")[1:]))
ifaces = OutputFormatter.highlight(xhtml_escape(common.shell('mii-tool 2> /dev/null')))
lan = appconfig.get()['net']
sangoma = common.shell("wanrouter status")
return {'addr': addr, 'routing': routing, 'lan': lan, 'ifaces': ifaces, 'sangoma': sangoma}
def post(self):
username = xhtml_escape(self.get_argument("username"))
email = xhtml_escape(self.get_argument("email"))
password = xhtml_escape(self.get_argument("password"))
conf_pass = xhtml_escape(self.get_argument("confirmPassword"))
#Thread incaricato di gesitire la scrittura sul db
pool = ThreadPool(processes=1)
pool.apply_async(self.__checkDuplicates, args=(username, email, password), callback=self.__onfinish)
pool.close()
def get_scores(self):
scores = {}
for socket in self.sockets:
name = socket.name
if name in self.game.scores:
scores[xhtml_escape(name)] = self.game.scores[name]
else:
scores[xhtml_escape(name)] = []
for (name, score) in self.game.scores.items():
if not xhtml_escape(name) in scores:
scores[xhtml_escape(name) + " (ABSENT)"] = score
return scores
def write_error(self, status_code, **kwargs):
if hasattr(self, "error_message"):
if isinstance(self.error_message, BaseException):
import traceback
self.write("<html><body><pre>%s</pre></body></html>" %
xhtml_escape(''.join(traceback.format_exc())))
else:
self.write("<html><body>Error: %s</body></html>" %
xhtml_escape(self.error_message))
else:
super(HandlerBase, self).write_error(status_code, **kwargs)
def show_flash(self):
err = self.get_secure_cookie('e')
info = self.get_secure_cookie('i')
s = ''
if err:
s += '<div class="error">%s</div>' % (xhtml_escape(err),)
self.clear_cookie('e')
if info:
s += '<div class="info">%s</div>' % (xhtml_escape(info),)
self.clear_cookie('i')
return s
def post(self):
result = {}
try:
tmp_file = self.get_argument("tmp_file")
result["status"] = os.path.isfile(tmp_file)
if result["status"]:
result["message"] = "上传成功"
self.write(json.dumps(result))
self.finish()
file_info = {
"nickname" : xhtml_escape(self.get_argument("nickname")),
"category" : self.get_argument("category"),
"intro" : xhtml_escape(self.get_argument("intro")),
"uploader" : self.get_secure_cookie("username"),
"tmp_file" : tmp_file,
}
category = self.get_argument("category")
sub_category = self.get_arguments("sub_category")
file_info["cid"] = sub_category[-1]
if category == "common":
# 常用分类,需要记录pid
file_info["pid"] = sub_category[0]
if category == "book":
# 图书类,需要作者
file_info["author"] = self.get_argument("author", "anonymous")
elif category == "magazine":
# 杂志类,需要出版社,刊号
file_info["publisher"] = xhtml_escape(
self.get_argument("publisher", "unknown"))
file_info["issue"] = xhtml_escape(
self.get_argument("issue", "unknown"))
file_path = {
"static_path" : self.application.settings["static_path"],
"temp_path" : self.application.settings["temp_path"]
}
pool = multiprocessing.Pool(processes=8)
pool.apply_async(Upload, (file_info, file_path))
pool.close()
pool.join()
else:
result["message"] = "附件已丢失...请联系网站管理员或重新上传"
self.write(json.dumps(result))
self.finish()
return
except Exception as e:
print e
# result["status"] = False
# result["message"] = e
self.finish()
def post(self,id):
if self.check_login(id):
id = int(id)
url = '/detail/' + str(id)
title = xhtml_escape(self.get_argument('title', ''))
poster = xhtml_escape(self.get_argument('poster', ''))
password = xhtml_escape(self.get_argument('password', ''))
type = xhtml_escape(self.get_argument('syntax', 'other'))
content = xhtml_escape(self.get_argument('content', ''))
time = fmt_time()
Post.modify(id, title, poster, type, content, time, password)
self.redirect(url)
else:
self.redirect('/detail/' + str(id))
def format_email(email):
m = re.match(r"(.*) <(.*)>", email)
if m:
fmt = {
"name" : xhtml_escape(m.group(1)),
"mail" : xhtml_escape(m.group(2)),
}
else:
fmt = {
"name" : xhtml_escape(email),
"mail" : xhtml_escape(email),
}
return """<a class="email" href="mailto:%(mail)s">%(name)s</a>""" % fmt
def post(self):
if self.session['gnaflag'] <> '675':
raise tornado.web.HTTPError(404)
return
node_nName = unicode(xhtml_escape(self.get_argument('nName', '').strip()))
node_nUrl = clear2nbsp(xhtml_escape(self.get_argument('nUrl', '').strip().lower()))
node_nDes = unicode(xhtml_escape(self.get_argument('nDes', '').strip()))
node_nType = xhtml_escape(self.get_argument('nType', 'N'))
node_subhead = int(self.get_argument('subhead', '0'))
nid = int(self.get_argument('nid','0'))
if nid:
if node_nName and node_nUrl:
if node_nType == 'N':
if not node_subhead:
self.get_error('javascript:history.go(-1);','10',u'分类不能为空','toaza.com')
return
Node().node_admin_update(node_nName,node_nUrl,node_nDes,node_nType,node_subhead,nid)
self.logaw('admin',u'修改节点','0','0',nid,'0') #记录日志(type,des,aid,cid,nid,puid)
self.get_error('javascript:history.go(-2);','10',u'修改成功','toaza.com')
else:
self.get_error('javascript:history.go(-1);','10',u'名字和url不能为空','toaza.com')
return
else:
if node_nName and node_nUrl:
if node_nType == 'N':
if not node_subhead:
self.get_error('javascript:history.go(-1);','10',u'分类不能为空','toaza.com')
return
check_node_url = Node().find_by_nType_and_nUrl_and_nName('N',node_nUrl,node_nName)
if not check_node_url:
nodeid = Node().node_admin_new(node_nName,node_nUrl,node_nDes,node_nType,node_subhead)
self.logaw('admin',u'添加节点','0','0',nodeid,'0') #记录日志(type,des,aid,cid,nid,puid)
if nodeid:
if node_nType == 'N':
self.get_error('/zzginoa/nodes?op=index&nType=N','10',u'节点添加成功','toaza.com')
return
else:
self.get_error('/zzginoa/nodes?op=index&nType=C','10',u'分类添加成功','toaza.com')
return
else:
self.get_error('javascript:history.go(-1);','10',u'添加出错','toaza.com')
return
else:
self.get_error('javascript:history.go(-1);','10',u'节点名称、Url已经存在','toaza.com')
return
else:
self.get_error('javascript:history.go(-1);','10',u'名字、url不能为空','toaza.com')
return
def post(self, codeid):
title = xhtml_escape(self.get_argument("title"))
tep = self.get_argument("info")
code = xhtml_escape(self.get_argument("code"))
pswd = self.get_argument("password")
info = md.convert(tep)
codes = self.db.get("SELECT * FROM entries WHERE id = %s", int(codeid))
if checkuserpass(pswd, codes["password"]):
self.db.execute("""
UPDATE entries SET title = %s, info = %s, code = %s, markdown = %s
WHERE id = %s""", title, info, code, tep, int(codeid))
self.clear_cookie("codeid")
self.redirect("/" + str(codeid))
else:
self.redirect("/" + str(codeid))
def get(self):
show_code = self.get_argument("code", default=None)
reset_token = self.get_argument("t", default=None)
if config.level2_showcode and show_code:
with open(__file__) as code:
content = code.read()
self.write("<pre>" + xhtml_escape(content) + "</pre>")
elif reset_token:
mail, signature = get_token_components(reset_token)
if not validate_token(reset_token):
self.render("templates/error.html", message="Invalid data.")
elif mail == config.admin_email:
base_url = utils.get_cosmetic_url(self.request)
self.render("templates/success.html",
message=config.level2_message,
next_challenge=base_url + config.level3_link
)
else:
self.render("templates/error.html",
message="HoHo! You did trigger the password reset "
"function, but for the wrong user.")
else:
self.render("templates/level.html", level="Level 2",
show_code=config.level2_showcode)
def test_get(self):
self.mock_login_admin()
# check that error is raised for unknown barcode
response = self.get('/ag_edit_barcode/', {'barcode': 'unknown'})
self.assertEqual(response.code, 500)
# make sure return code 400 is returned, if barcode is not given
response = self.get('/ag_edit_barcode/', {})
self.assertEqual(response.code, 400)
# check if page is rendered properly
barcode = '000004216'
response = self.get('/ag_edit_barcode/', {'barcode': barcode})
self.assertEqual(response.code, 200)
self.assertIn('name="barcode" id="barcode" value="%s"' %
barcode, response.body)
self.assertIn('<option value="Stool" selected>Stool</option>',
response.body)
self.assertIn('2013-10-15', response.body)
hs = db.human_sites
hs.remove('Stool')
for s in hs:
self.assertIn('<option value="%s">%s</option>' %
(str(s), str(s)), response.body)
for e in db.general_sites:
self.assertIn('<option value="%s">%s</option>' %
(str(e), str(e)), response.body)
pname = xhtml_escape(
db.getAGBarcodeDetails(barcode)['participant_name'])
self.assertIn('<option value="%s" selected>%s</option>' %
(pname, pname), response.body)
def on_rename(self, command, data):
name = data.get('name')
if not name:
return
self.user_name = xhtml_escape(name)
command['data'] = self.user_as_dict
self.broadcast(self.clients, command)
def _gen_test_tag_resp(cls, request):
response = {}
if 'tests_tag' in Settings and Settings['tests_tag']['tag'] in request['tags']:
response['tag'] = Settings['tests_tag']['tag']
try:
api_url = Settings['tests_tag']['tag_api_endpoint'].replace('%SHA%', request['revision'])
api_body = Settings['tests_tag']['tag_api_body'].replace('%SHA%', request['revision'])
api_resp = urllib2.urlopen(api_url, api_body)
response['tag'] = xhtml_escape(json.loads(api_resp.read())['tag'])
except Exception as e:
response['tag'] += ": ERROR connecting to server"
logging.error(e)
response['url'] = ''
if 'url_api_endpoint' in Settings['tests_tag']:
try:
result_api_url = Settings['tests_tag']['url_api_endpoint'].replace('%SHA%', request['revision'])
result_api_url = result_api_url.replace('%BRANCH%', request['branch'])
result_api_body = Settings['tests_tag']['url_api_body'].replace('%SHA%', request['revision'])
result_api_body = result_api_body.replace('%BRANCH%', request['branch'])
resp = urllib2.urlopen(result_api_url, result_api_body)
result_id = url_escape(json.loads(resp.read())['id'])
if result_id != '':
response['url'] = Settings['tests_tag']['url_tmpl'].replace('%ID%', result_id).replace('%SHA%', request['revision'])
response['url'] = response['url'].replace('%BRANCH%', request['branch'])
except Exception as e:
logging.warning(e)
logging.warning("Couldn't load results for results test URL from %s with body %s" %
(
Settings['tests_tag']['url_api_endpoint'].replace('%SHA%', request['revision']),
Settings['tests_tag']['url_api_body'].replace('%SHA%', request['revision'])
)
)
return response
def douban_saying(self, callback, access_token=None, content=None, **args):
""" douban miniblog
Example usage::
class MainHandler(RequestHandler, DoubanMixin):
@authenticated
@asynchronous
def get(self):
self.douban_saying(
self.async_callback(self._on_saying),
access_token=user["access_token"],
content="test content"
)
def _on_saying(self, xml):
if not xml:
raise HTTPError(500, 'Douban saying failed')
self.write(xml)
self.finish()
"""
path = "/miniblog/saying"
if not access_token or not content:
raise
try:
content = content.encode('utf-8')
except UnicodeDecodeError:
pass
content = xhtml_escape(content)
post_args = '<entry><content>%s</content></entry>' % content
self.douban_request(path, callback, access_token, post_args, **args)
def write_line(self, data):
try:
logging.info("Returning to client: %s" % data.strip())
self.write_message(xhtml_escape(data.strip()) + "<br/>")
self.proc.stdout.read_until("\n", self.write_line)
except StreamClosedError:
logging.info("StreamClosedError")
def send_mandrill_message(template_name, template_params, subject, sender_name, sender_email, recipient_name, recipient_email):
'''Send a message via the Mandrill API.'''
message = {'to': [{'email': recipient_email, 'type': 'to'}]}
if template_name.strip() == 'share-to-recipient-web':
logging.info('ignoring share to recipient message')
return
if recipient_name:
message['to'][0]['name'] = recipient_name
# Mandrill templates allow setting defaults for subject, sender_name,
# and sender_email
if subject:
message['subject'] = subject
if sender_name:
message['from_name'] = sender_name
if sender_email:
message['from_email'] = sender_email
merge_vars = []
for key, value in template_params.iteritems():
merge_vars.append({'name': key, 'content': escape.xhtml_escape(value)});
message['global_merge_vars'] = merge_vars
mandrill_client = mandrill.Mandrill(options.options.mandrill_api_key)
result = mandrill_client.messages.send_template(template_name=template_name,
template_content=None, message=message, async=False)
return result
def test_xhtml_escape(self):
tests = [
("<foo>", "<foo>"),
(u"<foo>", u"<foo>"),
(b("<foo>"), b("<foo>")),
("<>&\"", "<>&""),
("&", "&amp;"),
]
for unescaped, escaped in tests:
self.assertEqual(utf8(xhtml_escape(unescaped)), utf8(escaped))
self.assertEqual(utf8(unescaped), utf8(xhtml_unescape(escaped)))
def get(self, share_key):
sharedfile = Sharedfile.get_by_share_key(share_key)
value = {
'title': escape.xhtml_escape(sharedfile.get_title()),
'title_raw': sharedfile.get_title()
}
# prevents IE from caching ajax requests.
self.set_header("Cache-Control", "no-store, no-cache, must-revalidate")
self.set_header("Pragma", "no-cache")
self.set_header("Expires", 0)
return self.write(escape.json_encode(value))
def escape_json(value):
"""递归将对象内部的所有字符串对象escape"""
if isinstance(value, dict):
return dict(
(escape_json(k), escape_json(v)) for k, v in value.iteritems())
elif isinstance(value, (list, tuple)):
return type(value)(escape_json(v) for v in value)
elif isinstance(value, (unicode, str)):
return xhtml_escape(value)
else:
return value
def async_call(self, function):
try:
kwargs = self.request.arguments
for arg, value in six.iteritems(kwargs):
if len(value) == 1:
kwargs[arg] = xhtml_escape(value[0])
elif isinstance(value, six.string_types):
kwargs[arg] = xhtml_escape(value)
elif isinstance(value, list):
kwargs[arg] = [xhtml_escape(v) for v in value]
else:
raise Exception
result = function(**kwargs)
return result
except OSError as e:
return Template("Looks like we do not have enough disk space to render the page! {error}").render_unicode(data=e.message)
except Exception:
logger.log('Failed doing webui callback: {0}'.format((traceback.format_exc())), logger.ERROR)
raise
def post(self):
previous_queries = get_previous_queries(self)
query = self.get_argument('query')
query.rstrip(';')
previous_queries = ([query] + previous_queries)[:5]
try:
rows = [list(row) for row in db.session.execute(query)]
except OperationalError, e:
self.render_json({'error': xhtml_escape(str(e))})
return
def render(self, path, sip=True, crossorigin="anonymous", **attrs):
url = self.handler.cdn_static_url(path)
if sip:
integrity = self.get_integrity(url)
if integrity and "integrity" not in attrs:
attrs["integrity"] = integrity
if "crossorigin" not in attrs:
attrs["crossorigin"] = crossorigin
if "src" not in attrs:
attrs["src"] = url
attr_strs = [
'%s="%s"' % (xhtml_escape(k), xhtml_escape(v))
for (k, v) in attrs.items()
]
return "<script %s></script>" % " ".join(attr_strs)
def index(self):
context = {}
user_id = safe_json_load(USER_ID_JSON_FILE, dict)
prefs = safe_json_load(PREFERENCES_JSON_FILE, dict)
with open(DEFAULT_ICON_TEMPLATE, 'r') as fh:
default_icon_template = squeeze(fh.read().replace("'", "\\'"))
with open(DEFAULT_SETTINGS_TEMPLATE, 'r') as fh:
default_settings_template = squeeze(fh.read().replace("'", "\\'"))
pbname = xhtml_escape(SESSION.host.pedalboard_name)
prname = SESSION.host.pedalpreset_name()
fullpbname = pbname or "Untitled"
if prname:
fullpbname += " - " + prname
context = {
'default_icon_template': default_icon_template,
'default_settings_template': default_settings_template,
'default_pedalboard': DEFAULT_PEDALBOARD,
'cloud_url': CLOUD_HTTP_ADDRESS,
'pedalboards_url': PEDALBOARDS_HTTP_ADDRESS,
'hardware_profile': b64encode(json.dumps(SESSION.get_hardware_actuators()).encode("utf-8")),
'version': self.get_argument('v'),
'lv2_plugin_dir': LV2_PLUGIN_DIR,
'bundlepath': SESSION.host.pedalboard_path,
'title': pbname,
'size': json.dumps(SESSION.host.pedalboard_size),
'fulltitle': fullpbname,
'titleblend': '' if SESSION.host.pedalboard_name else 'blend',
'using_app': 'true' if APP else 'false',
'using_mod': 'true' if DEVICE_KEY else 'false',
'user_name': xhtml_escape(user_id.get("name", "")),
'user_email': xhtml_escape(user_id.get("email", "")),
'favorites': json.dumps(gState.favorites),
'preferences': json.dumps(prefs),
}
return context
def test_get(self):
self.mock_login_admin()
response = self.get('/ag_new_kit/')
self.assertEqual(response.code, 200)
obs = response.body.decode('utf-8')
for project in db.getProjectNames():
self.assertIn(
"<option value='%s'>%s</option>" %
((xhtml_escape(project), ) * 2), obs)
self.assertIn(
"%i</span> unassigned barcodes" %
len(db.get_unassigned_barcodes()), obs)
def url_unescape_path(username, platform, course_name,
mapping_name, module_name, objective_name, skill_name, activity_name):
path = {}
path['username'] = escape.xhtml_escape(username)
path['platform'] = platform
path['course_name'] = course_name
path['mapping_name'] = escape.url_unescape(mapping_name)
path['module_name'] = escape.url_unescape(module_name)
path['objective_name'] = escape.url_unescape(objective_name)
path['skill_name'] = escape.url_unescape(skill_name)
path['activity_name'] = escape.url_unescape(activity_name)
return path
def post(self, *args, **kwargs):
user = self.get_argument('user')
content = self.get_argument('content')
if user and content :
loginuser = escape.xhtml_escape(self.current_user)
result = database.inset_to_mysql(user,content,loginuser,create_id=int(self.get_secure_cookie(name="userid")))
if not len(result):
self.render('complete.html')
else:
self.render('error.html')
else:
self.render('error.html')
def block_code(self, text, lang):
if lang:
lexer = get_lexer_by_name(lang, stripall=True)
else:
return '\n<pre><code>%s</code></pre>\n' % xhtml_escape(
text.strip())
formatter = HtmlFormatter(
noclasses=False,
linenos=True,
)
return highlight(text, lexer, formatter)
def get(self, shake_name):
shake = Shake.get("name=%s and deleted=0", shake_name)
if not shake:
raise tornado.web.HTTPError(404)
value = {
'title':
escape.xhtml_escape(shake.title) if shake.title else '',
'title_raw':
shake.title if shake.title else '',
'description':
escape.xhtml_escape(shake.description)
if shake.description else '',
'description_raw':
shake.description if shake.description else ''
}
# prevents IE from caching ajax requests.
self.set_header("Cache-Control", "no-store, no-cache, must-revalidate")
self.set_header("Pragma", "no-cache")
self.set_header("Expires", 0)
return self.write(escape.json_encode(value))
def _FormatResult(self, user):
email = escape.url_escape(user.email) if user.email else '-'
user_url = '<a href="/admin/staging_users?user_id=%d&user_email=%s">{0}</a>' % (
user.user_id, email)
return [
user_url.format(escape.utf8(escape.xhtml_escape(item)))
for item in [
user.name or '-', email,
str(user.user_id),
str(list(user.labels.combine()))
]
]
async def core_proxy(self, port, path):
if self.origin_host is None:
# Get origin from this request
self.store_origin_host()
if not path.startswith('/'):
path = '/' + path
if self.mappath:
if callable(self.mappath):
raise Exception(
"Not implemented: path = call_with_asked_args(self.mappath, {'path': path})"
)
else:
path = self.mappath.get(path, path)
if self.gitwrapper:
if not self.gitwrapper.finished:
self.set_status(200)
return self.write(self.gitpulling_template)
elif self.gitwrapper.error:
from tornado.escape import xhtml_escape
html = self.error_template.format(
cmd=xhtml_escape(" ".join(self.get_cmd())),
stderr=xhtml_escape("\n".join(self.gitwrapper.logs)),
stdout='')
self.set_status(500)
return self.write(html)
if not await self.ensure_process():
from tornado.escape import xhtml_escape
html = self.error_template.format(
cmd=xhtml_escape(" ".join(self.get_cmd())),
stderr=xhtml_escape(self.stderr_str or 'None'),
stdout=xhtml_escape(self.stdout_str or 'None'))
self.set_status(500)
return self.write(html)
return await super().proxy(self.port, path)
def post_argv(self, post= None):
if post:
#####
if 'picture' in post['post']['content']:
content = template.Template('<img src="{{ picture }}">').generate(picture=post['post']['content']['picture']).decode("utf-8")
elif 'video' in post['post']['content']:
content = template.Template('<div class="video" link="{{ video }}"></div>').generate(video=post['post']['content']['video']).decode("utf-8")
else:
content = ""
#####
if 'type' in post and post['type'] == 'private':
warning = "Bài viết đang được chờ kiểm duyệt, bạn thông cảm nhé :)"
else:
warning = ""
#####
if 'note' in post['post']['content']:
# old version
argv = {
"id" : str(post['_id']),
"content" : content,
"note" : escape.xhtml_escape(post['post']['content']['note']),
"link" : "%s://%s/%s/%s/%s/%s.html" % (self.site.request.protocol, self.site.request.host, self.site.db_site['name'], self.site.db_page['name'], post['_id'], function.seo_encode(post['post']['title'])),
"title" : escape.xhtml_escape(post['post']['title']),
"source" : escape.xhtml_escape(post['post']['content']['source']),
"time" : post['time'],
"user.name" : post['user']['first_name'] + ' ' + post['user']['last_name'],
"user.picture" : post['user']['picture'],
"warning" : warning,
"banner" : ''
}
else:
# newversion
argv = {
"id" : str(post['_id']),
"content" : content,
"note" : escape.xhtml_escape(post['post']['note']),
"link" : "%s://%s/%s/%s/%s/%s.html" % (self.site.request.protocol, self.site.request.host, self.site.db_site['name'], self.site.db_page['name'], post['_id'], function.seo_encode(post['post']['title'])),
"title" : escape.xhtml_escape(post['post']['title']),
"source" : escape.xhtml_escape(post['post']['source']),
"time" : post['time'],
"user.name" : post['user']['first_name'] + ' ' + post['user']['last_name'],
"user.picture" : post['user']['picture'],
"warning" : warning,
"banner" : "banner" if 'banner' in post['post'] and post['post']['banner'] else '',
}
else:
argv = {
"id" : '{{ id }}',
"content" : '{{ content }}',
"note" : '{{ note }}',
"link" : '{{ link }}',
"title" : '{{ title }}',
"source" : '{{ source }}',
"time" : '{{ time }}',
"user.name" : '{{ user.name }}',
"user.picture" : '{{ user.picture }}',
"warning" : '{{ warning }}',
"banner" : '{{ banner }}',
}
return argv
def render(self, path, sip=True, crossorigin="anonymous", **attrs):
url = self.handler.cdn_static_url(path)
if sip:
integrity = self.get_integrity(url)
if integrity and "integrity" not in attrs:
attrs["integrity"] = integrity
if "crossorigin" not in attrs:
attrs["crossorigin"] = crossorigin
if "rel" not in attrs:
attrs["rel"] = "stylesheet"
if "href" not in attrs:
attrs["href"] = url
attr_strs = [
'%s="%s"' % (xhtml_escape(k), xhtml_escape(v))
for (k, v) in attrs.items()
]
return "<link %s />" % " ".join(attr_strs)
def test_get(self):
self.mock_login()
response = self.get('/projects/summary/')
self.assertEqual(response.code, 200)
obs = response.body.decode('utf-8')
# check that correct information is printed on HTML page.
for project_name in db.getProjectNames():
num_barcodes = len(db.get_barcodes_for_projects([project_name]))
self.assertIn('<tr><td>%s</td>' % xhtml_escape(project_name),
obs)
self.assertIn('<td>%s</td></tr>' % num_barcodes, obs)
def post(self):
users = Users()
sorting = escape.xhtml_escape(self.get_argument('jtSorting', ''))
sortby = None
sortway = None
if sorting:
sortby, sortway = sorting.split()
records = users.get_students(sortby, sortway)
if records:
self.write(jtable_reply(True, records))
else:
self.write(jtable_reply(False))
def test_xhtml_escape(self):
tests = [
("<foo>", "<foo>"),
(u"<foo>", u"<foo>"),
(b"<foo>", b"<foo>"),
("<>&\"'", "<>&"'"),
("&", "&amp;"),
(u"<\u00e9>", u"<\u00e9>"),
(b"<\xc3\xa9>", b"<\xc3\xa9>"),
]
for unescaped, escaped in tests:
self.assertEqual(utf8(xhtml_escape(unescaped)), utf8(escaped))
self.assertEqual(utf8(unescaped), utf8(xhtml_unescape(escaped)))
def get_thumbs(raw, secure=False):
# Don't forget about escaping
text = xhtml_escape(raw)
thumbs = []
for match in _URL_RE.finditer(text):
url = match.group(1)
for regexp, handler, _ in linkshit_format.linkhostings:
m = regexp.match(url)
if m:
thumb = handler(m.group, 's' if secure else '')
thumbs.append((url, thumb))
break
return thumbs
def get(self):
current_user = self.get_current_user_object()
group_shakes = current_user.shakes(include_managed=True)
response = {'result': []}
for shake in group_shakes:
response['result'].append({
'id':
shake.id,
'name':
xhtml_escape(shake.display_name(current_user))
})
return self.write(response)
def async_call(self, function):
try:
# TODO: Make all routes use get_argument so we can take advantage of tornado's argument sanitization, separate post and get, and get rid of this
# nonsense loop so we can just yield the method directly
# raise Exception('Raising from async_call')
kwargs = self.request.arguments
for arg, value in kwargs.items():
if len(value) == 1:
kwargs[arg] = xhtml_escape(value[0])
elif isinstance(value, str):
kwargs[arg] = xhtml_escape(value)
elif isinstance(value, list):
kwargs[arg] = [xhtml_escape(v) for v in value]
else:
raise Exception
return function(**kwargs)
except TypeError:
return function()
except Exception as error:
return WebRoot(application=self.application,
request=self.request).print_traceback(
error=error, **self.request.arguments)
def make_content(text, extra_params='rel="nofollow"'):
"""https://github.com/facebook/tornado/blob/master/tornado/escape.py#L238
"""
if extra_params:
extra_params = " " + extra_params.strip()
def make_link(m):
url = m.group(1)
proto = m.group(2)
href = m.group(1)
if not proto:
href = "http://" + href # no proto specified, use http
params = extra_params
if '.' in href:
name_extension = href.split('.')[-1].lower()
if name_extension in ('jpg', 'png', 'git', 'jpeg'):
return u'<img src="%s" />' % href
return u'<a href="%s"%s>%s</a>' % (href, params, url)
def cover_email(m):
data = {'mail': m.group(1),
'end': m.group(2)}
return u'<a href="mailto:%(mail)s">%(mail)s</a>%(end)s' % data
def convert_mention(m):
data = {}
data['begin'], data['user'] = m.group(1).split('@')
t = u'%(begin)s<a href="/member/%(user)s" class="mention">' \
u'@%(user)s</a>'
return t % data
def highligt(m):
try:
name = m.group(1)
lexer = get_lexer_by_name(name)
except ValueError:
lexer = TextLexer()
text = m.group(2).replace('"', '"').replace('&', '&')
text = text.replace('<', '<').replace('>', '>')
text = text.replace(' ', ' ')
return highlight(text, lexer, formatter)
text = _unicode(xhtml_escape(text)).replace(' ', ' ')
text = _CODE_RE.sub(highligt, text).replace('\n', '<br />')
text = _EMAIL_RE.sub(cover_email, text)
text = _MENTION_RE.sub(convert_mention, text)
return _URL_RE.sub(make_link, text)
def string_escape(value):
r"""Escapes the <,>, ", 'and & characters of a string, when adding an interactable object such as a list,
a dictionary, tuples and a set it cycles through the values in search of strings recursively, remembering
that objects of the type tuple and set will be converted to lists.
:param value: string, dict, list, tuple or set.
Example:
>>> from phanterpwa.tools import string_escape
>>> string_escape("<div>the content<\div>")
'<div>the content<\div>'
>>> result = string_escape({
"one": "<div style='test'>one</div>",
"two": ["<div>two</div>"],
"three": ("<div>three</div>", ),
"four": {"<div>four</div>"},
"five": {
"five_one": ["<br>", ("<input>", "<hr>"), {"<a href='link'></a>"}]
}
})
>>> result["one"]
'<div style='test'>one</div>'
>>> result["two"]
'["<div>two</div>"]'
>>> result["three"]
'["<div>three</div>"]'
>>> result["four"]
'['<div>four</div>']'
>>> result["five"]["five_one"]
'["<br>", ["<input>", "<hr>"], ["<a href='link'></a>"]]'
"""
if isinstance(value, str):
return escape.xhtml_escape(value)
elif isinstance(value, (list, tuple, set)):
new_list = []
for x in value:
new_list.append(string_escape(x))
return new_list
elif isinstance(value, dict):
new_dict = {}
for x in value.keys():
new_dict[x] = string_escape(value[x])
return new_dict
elif isinstance(value, datetime):
return value.isoformat(" ", "seconds")
elif isinstance(value, date):
return value.isoformat()
else:
return value
def post(self):
result = {"status": False}
try:
username = xhtml_escape(self.get_argument("username"))
password = xhtml_escape(self.get_argument("password"))
realname = xhtml_escape(self.get_argument("realname"))
lastrowid = User().add(username, password, realname)
if lastrowid > 0:
result["status"] = True
result["message"] = "添加成功"
elif lastrowid == 0:
result["message"] = "添加失败"
elif lastrowid == -1:
result["message"] = "用户名存在"
else:
# unexcept
result["message"] = "情况未知"
pass
except Exception as e:
print e
result["message"] = "添加用户异常"
self.write(json.dumps(result))
self.finish()
def rendernote(self, note):
if isinstance(note, Exception):
note = note.__str__()
if note:
html = """
<div id="flashbar" style="display:none">
<script type="text/javascript">
document.getElementById('flashbar').style.display = 'none';
</script>
<span>%s</span>
</div>"""
return html % xhtml_escape(__(note))
return ""
def format_text(self, raw_text):
"""
@ raw_text: 未经任何处理的文本
@ return: 经过xhtml_escape,和支持空白换行等多种操作后的html代码
"""
rules = {" ": " ", "\n": "<br />"}
x_text = xhtml_escape(raw_text)
out_text = ""
for c in x_text:
if c in rules:
out_text += rules[c]
else:
out_text += c
return out_text
def test_get_overview_animal(self):
# Test with animal login id
ag_login_id = 'd8592c74-8710-2135-e040-8a80115d6401'
self.mock_login(ag_data.ut_get_supplied_kit_id(ag_login_id))
response = self.get('/authed/add_sample_overview/')
self.assertEqual(response.code, 200)
self.assertTrue(
response.effective_url.endswith('/authed/add_sample_overview/'))
# Check for some main text
names = ag_data.ut_get_participant_names_from_ag_login_id(ag_login_id)
self.assertIn('sample source', response.body)
for name in names:
self.assertIn(escape.xhtml_escape(name), response.body)
self.assertIn('Environmental', response.body)
def test_get_ag_details(self):
self.mock_login_admin()
# test if AGP data are rendered correctly
barcode = '000029153'
response = self.get('/barcode_util/', {'barcode': barcode})
self.assertEqual(response.code, 200)
self.assertIn('<h2>%s Details</h2>' % 'American Gut', response.body)
ag_details = db.getAGBarcodeDetails(barcode)
self.assertIn(
'<tr><td>Sample Date</td><td>%s</td></tr>' %
ag_details['sample_date'], response.body)
self.assertIn(
'<tr><td>Sample Time</td><td>%s</td></tr>' %
ag_details['sample_time'], response.body)
self.assertIn(
'<tr><td>Sample Site</td><td>%s</td></tr>' %
ag_details['site_sampled'], response.body)
self.assertIn(
'<label for="moldy"> moldy (current: %s) </label> <br />' %
ag_details['moldy'], response.body)
self.assertIn(('<label for="overloaded"> overloaded (current: %s) '
'</label> <br />') % ag_details['overloaded'],
response.body)
self.assertIn(('<label for="other"> other (current: %s) '
'</label> <br />') % ag_details['other'], response.body)
self.assertIn(
('<textarea name="other_text" onclick="this.select()'
'">%s</textarea>') % xhtml_escape(ag_details['other_text']),
response.body)
self.assertIn(
('<label for="send_mail" style="display:block;">send kit'
' owner %s (%s) an email </label>') % (xhtml_escape(
ag_details['name']), xhtml_escape(ag_details['email'])),
response.body)
def safe_markdown(text, noclasses=False):
text = escape.xhtml_escape(text)
# get link back
def make_link(m):
link = m.group(1)
title = link.replace('http://', '').replace('https://', '')
if len(title) > 30:
title = title[:20] + '...'
if link.startswith('http://') or link.startswith('https://'):
return '<a href="%s" rel="nofollow">%s</a>' % (link, title)
return '<a href="http://%s" rel="nofollow">%s</a>' % (link, title)
# http://daringfireball.net/2010/07/improved_regex_for_matching_urls
pattern = re.compile(
r'(?m)^((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}'
r'/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+'
r'|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))')
text = pattern.sub(make_link, text)
pattern = re.compile(
r'(?i)(?:<)((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}'
r'/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+'
r'|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))(?:>)')
text = pattern.sub(make_link, text)
pattern = re.compile(r'^```(\w+)(?:\n|\r\n|\r)(.*?)(?:\n|\r\n|\r)```',
re.S | re.M)
formatter = HtmlFormatter(noclasses=noclasses)
def repl(m):
try:
name = m.group(1)
lexer = get_lexer_by_name(name)
except ValueError:
name = 'text'
lexer = TextLexer()
text = m.group(2).replace('"', '"').replace('&', '&')
text = text.replace('<', '<').replace('>', '>')
#text = m.group(2)
code = highlight(text, lexer, formatter)
code = code.replace('\n\n', '\n \n').replace('\n', '<br />')
return '\n\n<div class="code">%s</div>\n\n' % code
text = pattern.sub(repl, text)
pattern = re.compile(r'@(\w+)\s')
text = pattern.sub(r'<a href="/member/\1">@\1</a> ', text)
return emoji(markdown.markdown(text))
