def format_comments(self, comments):
if not comments:
return ''
text = []
text.append('<hr>')
text.append('<h2><a name="comment-area"></a>Comments (%s):</h2>' % len(comments))
for comment in comments:
text.append('<h3><a href="%s">%s</a> at %s:</h3>' % (
html_escape(comment['homepage']), html_escape(comment['name']),
time.strftime('%c', comment['time'])))
# Susceptible to XSS attacks!:
text.append(comment['comments'])
return ''.join(text)
def format_comments(self, comments):
if not comments:
return ''
text = []
text.append('<hr>')
text.append('<h2><a name="comment-area"></a>Comments (%s):</h2>' % len(comments))
for comment in comments:
text.append('<h3><a href="%s">%s</a> at %s:</h3>' % (
html_escape(comment['homepage']), html_escape(comment['name']),
time.strftime('%c', comment['time'])))
# Susceptible to XSS attacks!:
text.append(comment['comments'])
return ''.join(text)
def test_html_escape():
for v, s in [
# unsafe chars
('these chars: < > & "', 'these chars: < > & "'),
(' ', ' '),
('è', '&egrave;'),
# The apostrophe is *not* escaped, which some might consider to be
# a serious bug (see, e.g. http://www.cvedetails.com/cve/CVE-2010-2480/)
(u'the majestic m\xf8ose', 'the majestic møose'),
#("'", "'")
# 8-bit strings are passed through
(u'\xe9', 'é'),
(u'the majestic m\xf8ose'.encode('utf-8'), 'the majestic m\xc3\xb8ose'),
# ``None`` is treated specially, and returns the empty string.
(None, ''),
# Objects that define a ``__html__`` method handle their own escaping
(t_esc_HTML(), '<div>hello</div>'),
# Things that are not strings are converted to strings and then escaped
(42, '42'),
(Exception("expected a '<'."), "expected a '<'."),
# If an object implements both ``__str__`` and ``__unicode__``, the latter
# is preferred
(t_esc_SuperMoose(), 'møose'),
(t_esc_Unicode(), 'é'),
(t_esc_UnsafeAttrs(), '<UnsafeAttrs>'),
]:
eq(html_escape(v), s)
def test_html_escape():
for v, s in [
# unsafe chars
('these chars: < > & "', 'these chars: < > & "'),
(' ', ' '),
('è', '&egrave;'),
# The apostrophe is *not* escaped, which some might consider to be
# a serious bug (see, e.g. http://www.cvedetails.com/cve/CVE-2010-2480/)
(u'the majestic m\xf8ose', 'the majestic møose'),
#("'", "'")
# 8-bit strings are passed through
(u'\xe9', 'é'),
(u'the majestic m\xf8ose'.encode('utf-8'), 'the majestic m\xc3\xb8ose'),
# ``None`` is treated specially, and returns the empty string.
(None, ''),
# Objects that define a ``__html__`` method handle their own escaping
(t_esc_HTML(), '<div>hello</div>'),
# Things that are not strings are converted to strings and then escaped
(42, '42'),
(Exception("expected a '<'."), "expected a '<'."),
# If an object implements both ``__str__`` and ``__unicode__``, the latter
# is preferred
(t_esc_SuperMoose(), 'møose'),
(t_esc_Unicode(), 'é'),
(t_esc_UnsafeAttrs(), '<UnsafeAttrs>'),
]:
eq(html_escape(v), s)
def login(self, req):
"""
The login form.
"""
if not self.check_ip(req):
template = HTMLTemplate.from_filename(os.path.join(os.path.dirname(__file__), 'ip_denied.html'))
return Response(template.substitute(req=req), status='403 Forbidden')
if req.method == 'POST':
username = req.str_POST['username']
password = req.str_POST['password']
if not self.check_login(username, password):
msg = 'Invalid username or password'
else:
resp = exc.HTTPFound(location=req.params.get('back') or req.application_url)
resp.set_cookie('__devauth', self.create_cookie(req, username))
return resp
else:
msg = req.params.get('msg')
back = req.params.get('back') or req.application_url
if msg == 'expired':
msg = 'Your session has expired. You can log in again, or just <a href="%s">return to your previous page</a>' % (
html_escape(back))
template = HTMLTemplate.from_filename(os.path.join(os.path.dirname(__file__), 'login.html'))
resp = Response(template.substitute(req=req, msg=msg, back=back, middleware=self))
try:
if req.cookies.get('__devauth'):
self.read_cookie(req, req.str_cookies['__devauth'])
except exc.HTTPException:
# This means the cookie is invalid
resp.delete_cookie('__devauth')
return resp
def format_comments(self, comments):
if not comments:
return ""
text = []
text.append("<hr>")
text.append('<h2><a name="comment-area"></a>Comments (%s):</h2>' %
len(comments))
for comment in comments:
text.append('<h3><a href="%s">%s</a> at %s:</h3>' % (
html_escape(comment["homepage"]),
html_escape(comment["name"]),
time.strftime("%c", comment["time"]),
))
# Susceptible to XSS attacks!:
text.append(comment["comments"])
return "".join(text)
def format_comments(self, comments):
import time
from webob import html_escape
if not comments:
return ""
text = []
text.append("<hr>")
text.append('<h2><a name="comment-area"></a>Comments (%s):</h2>' % len(comments))
for comment in comments:
text.append(
'<h3><a href="%s">%s</a> at %s:</h3>'
% (html_escape(comment["homepage"]), html_escape(comment["name"]), time.strftime("%c", comment["time"]))
)
# Susceptible to XSS attacks!:
text.append(comment["comments"])
return "".join(text)
def submit_form(self, base_path, req):
return '''<h2>Leave a comment:</h2>
<form action="%s/.comments" method="POST">
<input type="hidden" name="url" value="%s">
<table width="100%%">
<tr><td>Name:</td>
<td><input type="text" name="name" style="width: 100%%"></td></tr>
<tr><td>URL:</td>
<td><input type="text" name="homepage" style="width: 100%%"></td></tr>
</table>
Comments:<br>
<textarea name="comments" rows=10 style="width: 100%%"></textarea><br>
<input type="submit" value="Submit comment">
</form>
''' % (base_path, html_escape(req.url))
def submit_form(self, base_path, req):
return '''<h2>Leave a comment:</h2>
<form action="%s/.comments" method="POST">
<input type="hidden" name="url" value="%s">
<table width="100%%">
<tr><td>Name:</td>
<td><input type="text" name="name" style="width: 100%%"></td></tr>
<tr><td>URL:</td>
<td><input type="text" name="homepage" style="width: 100%%"></td></tr>
</table>
Comments:<br>
<textarea name="comments" rows=10 style="width: 100%%"></textarea><br>
<input type="submit" value="Submit comment">
</form>
''' % (base_path, html_escape(req.url))
def __pfce(self, obj):
return html_escape(str(pformat(obj)))