Example #1
0
 def format_comments(self, comments):
     if not comments:
         return ''
     text = []
     text.append('<hr>')
     text.append('<h2><a name="comment-area"></a>Comments (%s):</h2>' % len(comments))
     for comment in comments:
         text.append('<h3><a href="%s">%s</a> at %s:</h3>' % (
             html_escape(comment['homepage']), html_escape(comment['name']),
             time.strftime('%c', comment['time'])))
         # Susceptible to XSS attacks!:
         text.append(comment['comments'])
     return ''.join(text)
Example #2
0
 def format_comments(self, comments):
     if not comments:
         return ''
     text = []
     text.append('<hr>')
     text.append('<h2><a name="comment-area"></a>Comments (%s):</h2>' % len(comments))
     for comment in comments:
         text.append('<h3><a href="%s">%s</a> at %s:</h3>' % (
             html_escape(comment['homepage']), html_escape(comment['name']),
             time.strftime('%c', comment['time'])))
         # Susceptible to XSS attacks!:
         text.append(comment['comments'])
     return ''.join(text)
Example #3
0
def test_html_escape():
    for v, s in [
        # unsafe chars
        ('these chars: < > & "', 'these chars: &lt; &gt; &amp; &quot;'),
        (' ', ' '),
        ('&egrave;', '&amp;egrave;'),
        # The apostrophe is *not* escaped, which some might consider to be
        # a serious bug (see, e.g. http://www.cvedetails.com/cve/CVE-2010-2480/)
        (u'the majestic m\xf8ose', 'the majestic m&#248;ose'),
        #("'", "&#39;")

        # 8-bit strings are passed through
        (u'\xe9', '&#233;'),
        (u'the majestic m\xf8ose'.encode('utf-8'), 'the majestic m\xc3\xb8ose'),

        # ``None`` is treated specially, and returns the empty string.
        (None, ''),

        # Objects that define a ``__html__`` method handle their own escaping
        (t_esc_HTML(), '<div>hello</div>'),

        # Things that are not strings are converted to strings and then escaped
        (42, '42'),
        (Exception("expected a '<'."), "expected a '&lt;'."),

        # If an object implements both ``__str__`` and ``__unicode__``, the latter
        # is preferred
        (t_esc_SuperMoose(), 'm&#248;ose'),
        (t_esc_Unicode(), '&#233;'),
        (t_esc_UnsafeAttrs(), '&lt;UnsafeAttrs&gt;'),
    ]:
        eq(html_escape(v), s)
Example #4
0
def test_html_escape():
    for v, s in [
        # unsafe chars
        ('these chars: < > & "', 'these chars: &lt; &gt; &amp; &quot;'),
        (' ', ' '),
        ('&egrave;', '&amp;egrave;'),
        # The apostrophe is *not* escaped, which some might consider to be
        # a serious bug (see, e.g. http://www.cvedetails.com/cve/CVE-2010-2480/)
        (u'the majestic m\xf8ose', 'the majestic m&#248;ose'),
        #("'", "&#39;")

        # 8-bit strings are passed through
        (u'\xe9', '&#233;'),
        (u'the majestic m\xf8ose'.encode('utf-8'), 'the majestic m\xc3\xb8ose'),

        # ``None`` is treated specially, and returns the empty string.
        (None, ''),

        # Objects that define a ``__html__`` method handle their own escaping
        (t_esc_HTML(), '<div>hello</div>'),

        # Things that are not strings are converted to strings and then escaped
        (42, '42'),
        (Exception("expected a '<'."), "expected a '&lt;'."),

        # If an object implements both ``__str__`` and ``__unicode__``, the latter
        # is preferred
        (t_esc_SuperMoose(), 'm&#248;ose'),
        (t_esc_Unicode(), '&#233;'),
        (t_esc_UnsafeAttrs(), '&lt;UnsafeAttrs&gt;'),
    ]:
        eq(html_escape(v), s)
 def login(self, req):
     """
     The login form.
     """
     if not self.check_ip(req):
         template = HTMLTemplate.from_filename(os.path.join(os.path.dirname(__file__), 'ip_denied.html'))
         return Response(template.substitute(req=req), status='403 Forbidden')
     if req.method == 'POST':
         username = req.str_POST['username']
         password = req.str_POST['password']
         if not self.check_login(username, password):
             msg = 'Invalid username or password'
         else:
             resp = exc.HTTPFound(location=req.params.get('back') or req.application_url)
             resp.set_cookie('__devauth', self.create_cookie(req, username))
             return resp
     else:
         msg = req.params.get('msg')
     back = req.params.get('back') or req.application_url
     if msg == 'expired':
         msg = 'Your session has expired.  You can log in again, or just <a href="%s">return to your previous page</a>' % (
             html_escape(back))
     template = HTMLTemplate.from_filename(os.path.join(os.path.dirname(__file__), 'login.html'))
     resp = Response(template.substitute(req=req, msg=msg, back=back, middleware=self))
     try:
         if req.cookies.get('__devauth'):
             self.read_cookie(req, req.str_cookies['__devauth'])
     except exc.HTTPException:
         # This means the cookie is invalid
         resp.delete_cookie('__devauth')
     return resp
Example #6
0
 def format_comments(self, comments):
     if not comments:
         return ""
     text = []
     text.append("<hr>")
     text.append('<h2><a name="comment-area"></a>Comments (%s):</h2>' %
                 len(comments))
     for comment in comments:
         text.append('<h3><a href="%s">%s</a> at %s:</h3>' % (
             html_escape(comment["homepage"]),
             html_escape(comment["name"]),
             time.strftime("%c", comment["time"]),
         ))
         # Susceptible to XSS attacks!:
         text.append(comment["comments"])
     return "".join(text)
Example #7
0
    def format_comments(self, comments):
        import time
        from webob import html_escape

        if not comments:
            return ""
        text = []
        text.append("<hr>")
        text.append('<h2><a name="comment-area"></a>Comments (%s):</h2>' % len(comments))
        for comment in comments:
            text.append(
                '<h3><a href="%s">%s</a> at %s:</h3>'
                % (html_escape(comment["homepage"]), html_escape(comment["name"]), time.strftime("%c", comment["time"]))
            )
            # Susceptible to XSS attacks!:
            text.append(comment["comments"])
        return "".join(text)
Example #8
0
 def submit_form(self, base_path, req):
     return '''<h2>Leave a comment:</h2>
     <form action="%s/.comments" method="POST">
      <input type="hidden" name="url" value="%s">
      <table width="100%%">
       <tr><td>Name:</td>
           <td><input type="text" name="name" style="width: 100%%"></td></tr>
       <tr><td>URL:</td>
           <td><input type="text" name="homepage" style="width: 100%%"></td></tr>
      </table>
      Comments:<br>
      <textarea name="comments" rows=10 style="width: 100%%"></textarea><br>
      <input type="submit" value="Submit comment">
     </form>
     ''' % (base_path, html_escape(req.url))
Example #9
0
 def submit_form(self, base_path, req):
     return '''<h2>Leave a comment:</h2>
     <form action="%s/.comments" method="POST">
      <input type="hidden" name="url" value="%s">
      <table width="100%%">
       <tr><td>Name:</td>
           <td><input type="text" name="name" style="width: 100%%"></td></tr>
       <tr><td>URL:</td>
           <td><input type="text" name="homepage" style="width: 100%%"></td></tr>
      </table>
      Comments:<br>
      <textarea name="comments" rows=10 style="width: 100%%"></textarea><br>
      <input type="submit" value="Submit comment">
     </form>
     ''' % (base_path, html_escape(req.url))
Example #10
0
 def __pfce(self, obj):
     return html_escape(str(pformat(obj)))