def _upload_file(request):
"""
Upload file to the server.
"""
if request.method == "POST":
folder = request.POST.get("folder")
fb_uploadurl_re = re.compile(r"^.*(%s)" % reverse("fb_upload"))
folder = fb_uploadurl_re.sub("", folder)
if "." in folder:
return HttpResponseBadRequest("")
if request.FILES:
filedata = request.FILES["Filedata"]
directory = get_directory()
# Validate file against EXTENSIONS setting.
if not get_file_type(filedata.name):
return HttpResponseBadRequest("")
# PRE UPLOAD SIGNAL
filebrowser_pre_upload.send(
sender=request, path=request.POST.get("folder"), file=filedata
)
# Try and remove both original and normalised thumb names,
# in case files were added programmatically outside FB.
file_path = os.path.join(directory, folder, filedata.name)
remove_thumbnails(file_path)
filedata.name = convert_filename(filedata.name)
file_path = os.path.join(directory, folder, filedata.name)
remove_thumbnails(file_path)
if (
"." in file_path
and file_path.split(".")[-1].lower() in fb_settings.ESCAPED_EXTENSIONS
):
filedata = ContentFile(escape(filedata.read()), name=filedata.name)
# HANDLE UPLOAD
uploadedfile = default_storage.save(file_path, filedata)
if default_storage.exists(file_path) and file_path != uploadedfile:
default_storage.move(
smart_text(uploadedfile),
smart_text(file_path),
allow_overwrite=True,
)
# POST UPLOAD SIGNAL
filebrowser_post_upload.send(
sender=request,
path=request.POST.get("folder"),
file=FileObject(smart_text(file_path)),
)
get_params = request.POST.get("get_params")
if get_params:
return HttpResponseRedirect(reverse("fb_browse") + get_params)
return HttpResponse("True")
def _upload_file(request):
"""
Upload file to the server.
"""
if request.method == 'POST':
folder = request.POST.get('folder')
fb_uploadurl_re = re.compile(r'^.*(%s)' % reverse("fb_upload"))
folder = fb_uploadurl_re.sub('', folder)
if ".." in folder:
return HttpResponseBadRequest("")
if request.FILES:
filedata = request.FILES['Filedata']
directory = get_directory()
# Validate file against EXTENSIONS setting.
if not get_file_type(filedata.name):
return HttpResponseBadRequest("")
# PRE UPLOAD SIGNAL
filebrowser_pre_upload.send(sender=request,
path=request.POST.get('folder'),
file=filedata)
# Try and remove both original and normalised thumb names,
# in case files were added programmatically outside FB.
file_path = os.path.join(directory, folder, filedata.name)
remove_thumbnails(file_path)
filedata.name = convert_filename(filedata.name)
# this won't work with windows and s3 - replace the "\"
file_path = os.path.join(directory, folder,
filedata.name).replace("\\", "/")
remove_thumbnails(file_path)
if "." in file_path and file_path.split(
".")[-1].lower() in ESCAPED_EXTENSIONS:
filedata = ContentFile(escape(filedata.read()),
name=filedata.name)
# HANDLE UPLOAD
uploadedfile = default_storage.save(file_path, filedata)
if default_storage.exists(file_path) and file_path != uploadedfile:
default_storage.move(smart_text(uploadedfile),
smart_text(file_path),
allow_overwrite=True)
# POST UPLOAD SIGNAL
filebrowser_post_upload.send(sender=request,
path=request.POST.get('folder'),
file=FileObject(
smart_text(file_path)))
get_params = request.POST.get('get_params')
if get_params:
return HttpResponseRedirect(reverse('fb_browse') + get_params)
return HttpResponse('True')
def _clean(html):
if settings.PAGEDOWN_USE_MEZZANINE_HTML_ESCAPE:
return escape(html)
tags = settings.RICHTEXT_ALLOWED_TAGS
attrs = settings.RICHTEXT_ALLOWED_ATTRIBUTES
styles = settings.RICHTEXT_ALLOWED_STYLES
if LooseVersion('2.0') <= LooseVersion(bleach.__version__) and isinstance(attrs, tuple):
attrs = list(attrs)
return clean(html, tags=tags, attributes=attrs, strip=True,
strip_comments=False, styles=styles)
def _clean(html):
if settings.PAGEDOWN_USE_MEZZANINE_HTML_ESCAPE:
return escape(html)
tags = settings.RICHTEXT_ALLOWED_TAGS
attrs = settings.RICHTEXT_ALLOWED_ATTRIBUTES
styles = settings.RICHTEXT_ALLOWED_STYLES
if LooseVersion('2.0') <= LooseVersion(bleach.__version__) and isinstance(
attrs, tuple):
attrs = list(attrs)
return clean(html,
tags=tags,
attributes=attrs,
strip=True,
strip_comments=False,
styles=styles)
def _upload_file(request):
"""
Upload file to the server.
"""
if request.method == "POST":
folder = request.POST.get("folder")
fb_uploadurl_re = re.compile(r"^.*(%s)" % reverse("fb_upload"))
folder = fb_uploadurl_re.sub("", folder)
if "." in folder:
return HttpResponseBadRequest("")
if request.FILES:
filedata = request.FILES["Filedata"]
directory = get_directory()
# Validate file against EXTENSIONS setting.
if not get_file_type(filedata.name):
return HttpResponseBadRequest("")
# PRE UPLOAD SIGNAL
filebrowser_pre_upload.send(sender=request, path=request.POST.get("folder"), file=filedata)
# Try and remove both original and normalised thumb names,
# in case files were added programmatically outside FB.
file_path = os.path.join(directory, folder, filedata.name)
remove_thumbnails(file_path)
filedata.name = convert_filename(filedata.name)
file_path = os.path.join(directory, folder, filedata.name)
remove_thumbnails(file_path)
if "." in file_path and file_path.split(".")[-1].lower() in ESCAPED_EXTENSIONS:
filedata = ContentFile(escape(filedata.read()), name=filedata.name)
# HANDLE UPLOAD
uploadedfile = default_storage.save(file_path, filedata)
if default_storage.exists(file_path) and file_path != uploadedfile:
default_storage.move(smart_text(uploadedfile), smart_text(file_path), allow_overwrite=True)
# POST UPLOAD SIGNAL
filebrowser_post_upload.send(
sender=request, path=request.POST.get("folder"), file=FileObject(smart_text(file_path))
)
get_params = request.POST.get("get_params")
if get_params:
return HttpResponseRedirect(reverse("fb_browse") + get_params)
return HttpResponse("True")
def test_escape(self):
"""
Test HTML is escaped to whitelist.
"""
self.assertEqual(escape("<foo><div></div></foo>"), "<div></div>")
def clean(self, value, model_instance):
"""
Remove potentially dangerous HTML tags and attributes.
"""
return escape(value)
def clean(self, value, model_instance):
"""
Remove potentially dangerous HTML tags and attributes.
"""
return escape(value)
