Esempio n. 1
0
    def _checkParams( self, params, mustExist = 1 ):
        if "categId" in params:
            params["categId"] = escape_html(str(params["categId"]))
        l = locators.CategoryWebLocator( params, mustExist )
        self._target = l.getObject()

        # throw an error if the category was not found
        if mustExist and self._target == None:
            raise NoReportError(_("The specified category with id \"%s\" does not exist or has been deleted")%params["categId"])
    def _checkParams( self, params, mustExist = 1 ):
        if "categId" in params:
            params["categId"] = escape_html(str(params["categId"]))
        l = locators.CategoryWebLocator( params, mustExist )
        self._target = l.getObject()

        # throw an error if the category was not found
        if mustExist and self._target == None:
            raise NoReportError(_("The specified category with id \"%s\" does not exist or has been deleted")%params["categId"])
Esempio n. 3
0
    def _checkParams(self, params, mustExist=True):
        if "categId" in params:
            params["categId"] = escape_html(str(params["categId"]))
        l = locators.CategoryWebLocator(params, mustExist)
        self._target = l.getObject()

        # throw an error if the category was not found
        if mustExist and self._target is None:
            raise NotFoundError(_("The category with id '{}' does not exist or has been deleted").format(
                                params["categId"]),
                                title=_("Category not found"))
Esempio n. 4
0
    def _checkParams(self, params, mustExist=True):
        if "categId" in params:
            params["categId"] = escape_html(str(params["categId"]))
        l = locators.CategoryWebLocator(params, mustExist)
        self._target = l.getObject()

        # throw an error if the category was not found
        if mustExist and self._target is None:
            raise NotFoundError(_("The category with id '{}' does not exist or has been deleted").format(
                                "<strong>{}</strong>".format(params["categId"])),
                                title=_("Category not found"))
Esempio n. 5
0
 def _escapeHTML(params):
     index = 0
     for i in params:
         # params can be a list or a dictonary
         # we need to define k depending if it is a list or a dictonary
         # in order to be able to do such a operation: params[k] = something.
         if isinstance(params, dict):
             param = params[i]
             k = i
         else:
             param = i
             k = index  # since we are  looping a list, we need to increment the index to
             index += 1  # get the correct 'k' in the next iteration.
         if isinstance(param, str):
             params[k] = escape_html(param)
         elif isinstance(param, list) or isinstance(param, dict):
             Sanitization._escapeHTML(param)
Esempio n. 6
0
 def _escapeHTML(params):
     index = 0
     for i in params:
         # params can be a list or a dictonary
         # we need to define k depending if it is a list or a dictonary
         # in order to be able to do such a operation: params[k] = something.
         if isinstance(params, dict):
             param = params[i]
             k = i
         else:
             param = i
             k = index  # since we are  looping a list, we need to increment the index to
             index += 1  # get the correct 'k' in the next iteration.
         if isinstance(param, str):
             params[k] = escape_html(param)
         elif isinstance(param, list) or isinstance(param, dict):
             Sanitization._escapeHTML(param)
Esempio n. 7
0
def sanitizationCheck(target, params, accessWrapper):
    # first make sure all params are utf-8
    for param in params.keys():
        if isinstance(params[param], str) and params[param] != "":
            params[param] = encodeUnicode(params[param])
            if params[param] == "":
                raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")
        elif isinstance(params[param], list):
            #the params is a list, check inside
            for i in range(len(params[param])):
                item = params[param][i]
                if isinstance(item, str) and item != "":
                    params[param][i] = encodeUnicode(item)
                    if params[param][i] == "":
                        raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")


    # then check the security level of data sent to the server
    # if no user logged in, then no html allowed
    if accessWrapper.getUser():
        level = Config.getInstance().getSanitizationLevel()
    elif target and hasattr(target, "canModify") and target.canModify(accessWrapper):
        # not logged user, but use a modification key
        level = Config.getInstance().getSanitizationLevel()
    else:
        level = 0

    if level not in range(4):
        level = 1

    if level == 0:
        #Escape all HTML tags
        for param in params.keys():
            if isinstance(params[param], str):
                #the params is a string
                params[param] = escape_html(params[param])
            elif isinstance(params[param], list):
                #the params is a list, check inside
                for i in range(len(params[param])):
                    item = params[param][i]
                    if isinstance(item, str):
                        params[param][i] = escape_html(item)

    # raise error if form or iframe tags are used
    elif level == 1:
        #level 1 or default
        #raise error if script or style detected
        ret = None
        for param in params.keys():
            if isinstance(params[param], str):
                ret = scriptDetection(params[param])
                if not restrictedHTML(params[param]):
                    raise htmlForbiddenTag(params[param])
            elif isinstance(params[param], list):
                for item in params[param]:
                    if isinstance(item, str):
                        ret = scriptDetection(item)
                        if ret:
                            raise htmlScriptError(item)
                        if not restrictedHTML(item):
                            raise htmlForbiddenTag(item)
            if ret:
                raise htmlScriptError(params[param])

    elif level == 2:
        #raise error if script but style accepted
        ret = None
        for param in params.keys():
            if isinstance(params[param], str):
                ret = scriptDetection(params[param], allowStyle=True)
                if ret:
                    raise htmlScriptError(params[param])
                ret = restrictedHTML(params[param])
                if not ret:
                    raise htmlForbiddenTag(params[param])
            elif isinstance(params[param], list):
                for item in params[param]:
                    if isinstance(item, str):
                        ret = scriptDetection(item, allowStyle=True)
                        if ret:
                            raise htmlScriptError(item)
                        ret = restrictedHTML(item)
                        if not ret:
                            raise htmlForbiddenTag(item)


    elif level == 3:
        # Absolutely no checks
        return
Esempio n. 8
0
def sanitizationCheck(target, params, accessWrapper):
    # first make sure all params are utf-8
    for param in params.keys():
        if isinstance(params[param], str) and params[param] != "":
            params[param] = encodeUnicode(params[param])
            if params[param] == "":
                raise MaKaCError(
                    "Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"
                )
        elif isinstance(params[param], list):
            #the params is a list, check inside
            for i in range(len(params[param])):
                item = params[param][i]
                if isinstance(item, str) and item != "":
                    params[param][i] = encodeUnicode(item)
                    if params[param][i] == "":
                        raise MaKaCError(
                            "Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8"
                        )

    # then check the security level of data sent to the server
    # if no user logged in, then no html allowed
    if accessWrapper.getUser():
        level = Config.getInstance().getSanitizationLevel()
    elif target and hasattr(target,
                            "canModify") and target.canModify(accessWrapper):
        # not logged user, but use a modification key
        level = Config.getInstance().getSanitizationLevel()
    else:
        level = 0

    if level not in range(4):
        level = 1

    if level == 0:
        #Escape all HTML tags
        for param in params.keys():
            if isinstance(params[param], str):
                #the params is a string
                params[param] = escape_html(params[param])
            elif isinstance(params[param], list):
                #the params is a list, check inside
                for i in range(len(params[param])):
                    item = params[param][i]
                    if isinstance(item, str):
                        params[param][i] = escape_html(item)

    # raise error if form or iframe tags are used
    elif level == 1:
        #level 1 or default
        #raise error if script or style detected
        ret = None
        for param in params.keys():
            if isinstance(params[param], str):
                ret = scriptDetection(params[param])
                if not restrictedHTML(params[param]):
                    raise htmlForbiddenTag(params[param])
            elif isinstance(params[param], list):
                for item in params[param]:
                    if isinstance(item, str):
                        ret = scriptDetection(item)
                        if ret:
                            raise htmlScriptError(item)
                        if not restrictedHTML(item):
                            raise htmlForbiddenTag(item)
            if ret:
                raise htmlScriptError(params[param])

    elif level == 2:
        #raise error if script but style accepted
        ret = None
        for param in params.keys():
            if isinstance(params[param], str):
                ret = scriptDetection(params[param], allowStyle=True)
                if ret:
                    raise htmlScriptError(params[param])
                ret = restrictedHTML(params[param])
                if not ret:
                    raise htmlForbiddenTag(params[param])
            elif isinstance(params[param], list):
                for item in params[param]:
                    if isinstance(item, str):
                        ret = scriptDetection(item, allowStyle=True)
                        if ret:
                            raise htmlScriptError(item)
                        ret = restrictedHTML(item)
                        if not ret:
                            raise htmlForbiddenTag(item)

    elif level == 3:
        # Absolutely no checks
        return