def _checkParams( self, params, mustExist = 1 ):
if "categId" in params:
params["categId"] = escape_html(str(params["categId"]))
l = locators.CategoryWebLocator( params, mustExist )
self._target = l.getObject()
# throw an error if the category was not found
if mustExist and self._target == None:
raise NoReportError(_("The specified category with id \"%s\" does not exist or has been deleted")%params["categId"])
def _checkParams( self, params, mustExist = 1 ):
if "categId" in params:
params["categId"] = escape_html(str(params["categId"]))
l = locators.CategoryWebLocator( params, mustExist )
self._target = l.getObject()
# throw an error if the category was not found
if mustExist and self._target == None:
raise NoReportError(_("The specified category with id \"%s\" does not exist or has been deleted")%params["categId"])
def _checkParams(self, params, mustExist=True):
if "categId" in params:
params["categId"] = escape_html(str(params["categId"]))
l = locators.CategoryWebLocator(params, mustExist)
self._target = l.getObject()
# throw an error if the category was not found
if mustExist and self._target is None:
raise NotFoundError(_("The category with id '{}' does not exist or has been deleted").format(
params["categId"]),
title=_("Category not found"))
def _checkParams(self, params, mustExist=True):
if "categId" in params:
params["categId"] = escape_html(str(params["categId"]))
l = locators.CategoryWebLocator(params, mustExist)
self._target = l.getObject()
# throw an error if the category was not found
if mustExist and self._target is None:
raise NotFoundError(_("The category with id '{}' does not exist or has been deleted").format(
"<strong>{}</strong>".format(params["categId"])),
title=_("Category not found"))
def _escapeHTML(params):
index = 0
for i in params:
# params can be a list or a dictonary
# we need to define k depending if it is a list or a dictonary
# in order to be able to do such a operation: params[k] = something.
if isinstance(params, dict):
param = params[i]
k = i
else:
param = i
k = index # since we are looping a list, we need to increment the index to
index += 1 # get the correct 'k' in the next iteration.
if isinstance(param, str):
params[k] = escape_html(param)
elif isinstance(param, list) or isinstance(param, dict):
Sanitization._escapeHTML(param)
def _escapeHTML(params):
index = 0
for i in params:
# params can be a list or a dictonary
# we need to define k depending if it is a list or a dictonary
# in order to be able to do such a operation: params[k] = something.
if isinstance(params, dict):
param = params[i]
k = i
else:
param = i
k = index # since we are looping a list, we need to increment the index to
index += 1 # get the correct 'k' in the next iteration.
if isinstance(param, str):
params[k] = escape_html(param)
elif isinstance(param, list) or isinstance(param, dict):
Sanitization._escapeHTML(param)
def sanitizationCheck(target, params, accessWrapper):
# first make sure all params are utf-8
for param in params.keys():
if isinstance(params[param], str) and params[param] != "":
params[param] = encodeUnicode(params[param])
if params[param] == "":
raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str) and item != "":
params[param][i] = encodeUnicode(item)
if params[param][i] == "":
raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")
# then check the security level of data sent to the server
# if no user logged in, then no html allowed
if accessWrapper.getUser():
level = Config.getInstance().getSanitizationLevel()
elif target and hasattr(target, "canModify") and target.canModify(accessWrapper):
# not logged user, but use a modification key
level = Config.getInstance().getSanitizationLevel()
else:
level = 0
if level not in range(4):
level = 1
if level == 0:
#Escape all HTML tags
for param in params.keys():
if isinstance(params[param], str):
#the params is a string
params[param] = escape_html(params[param])
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str):
params[param][i] = escape_html(item)
# raise error if form or iframe tags are used
elif level == 1:
#level 1 or default
#raise error if script or style detected
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param])
if not restrictedHTML(params[param]):
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item)
if ret:
raise htmlScriptError(item)
if not restrictedHTML(item):
raise htmlForbiddenTag(item)
if ret:
raise htmlScriptError(params[param])
elif level == 2:
#raise error if script but style accepted
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param], allowStyle=True)
if ret:
raise htmlScriptError(params[param])
ret = restrictedHTML(params[param])
if not ret:
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item, allowStyle=True)
if ret:
raise htmlScriptError(item)
ret = restrictedHTML(item)
if not ret:
raise htmlForbiddenTag(item)
elif level == 3:
# Absolutely no checks
return
def sanitizationCheck(target, params, accessWrapper):
# first make sure all params are utf-8
for param in params.keys():
if isinstance(params[param], str) and params[param] != "":
params[param] = encodeUnicode(params[param])
if params[param] == "":
raise MaKaCError(
"Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"
)
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str) and item != "":
params[param][i] = encodeUnicode(item)
if params[param][i] == "":
raise MaKaCError(
"Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"
)
# then check the security level of data sent to the server
# if no user logged in, then no html allowed
if accessWrapper.getUser():
level = Config.getInstance().getSanitizationLevel()
elif target and hasattr(target,
"canModify") and target.canModify(accessWrapper):
# not logged user, but use a modification key
level = Config.getInstance().getSanitizationLevel()
else:
level = 0
if level not in range(4):
level = 1
if level == 0:
#Escape all HTML tags
for param in params.keys():
if isinstance(params[param], str):
#the params is a string
params[param] = escape_html(params[param])
elif isinstance(params[param], list):
#the params is a list, check inside
for i in range(len(params[param])):
item = params[param][i]
if isinstance(item, str):
params[param][i] = escape_html(item)
# raise error if form or iframe tags are used
elif level == 1:
#level 1 or default
#raise error if script or style detected
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param])
if not restrictedHTML(params[param]):
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item)
if ret:
raise htmlScriptError(item)
if not restrictedHTML(item):
raise htmlForbiddenTag(item)
if ret:
raise htmlScriptError(params[param])
elif level == 2:
#raise error if script but style accepted
ret = None
for param in params.keys():
if isinstance(params[param], str):
ret = scriptDetection(params[param], allowStyle=True)
if ret:
raise htmlScriptError(params[param])
ret = restrictedHTML(params[param])
if not ret:
raise htmlForbiddenTag(params[param])
elif isinstance(params[param], list):
for item in params[param]:
if isinstance(item, str):
ret = scriptDetection(item, allowStyle=True)
if ret:
raise htmlScriptError(item)
ret = restrictedHTML(item)
if not ret:
raise htmlForbiddenTag(item)
elif level == 3:
# Absolutely no checks
return