def _sanitize(params, level, doNotSanitize=[]): for i in params: if i in doNotSanitize: continue if isinstance(params, dict): param = params[i] else: param = i if isinstance(param, str): res = restrictedHTML(param, level) if res is not None: raise HtmlForbiddenTag(res) elif isinstance(param, list) or isinstance(param, dict): Sanitization._sanitize(param, level)
def sanitizationCheck(target, params, accessWrapper): # first make sure all params are utf-8 for param in params.keys(): if isinstance(params[param], str) and params[param] != "": params[param] = encodeUnicode(params[param]) if params[param] == "": raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8") elif isinstance(params[param], list): #the params is a list, check inside for i in range(len(params[param])): item = params[param][i] if isinstance(item, str) and item != "": params[param][i] = encodeUnicode(item) if params[param][i] == "": raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8") # then check the security level of data sent to the server # if no user logged in, then no html allowed if accessWrapper.getUser(): level = Config.getInstance().getSanitizationLevel() elif target and hasattr(target, "canModify") and target.canModify(accessWrapper): # not logged user, but use a modification key level = Config.getInstance().getSanitizationLevel() else: level = 0 if level not in range(4): level = 1 if level == 0: #Escape all HTML tags for param in params.keys(): if isinstance(params[param], str): #the params is a string params[param] = escape_html(params[param]) elif isinstance(params[param], list): #the params is a list, check inside for i in range(len(params[param])): item = params[param][i] if isinstance(item, str): params[param][i] = escape_html(item) # raise error if form or iframe tags are used elif level == 1: #level 1 or default #raise error if script or style detected ret = None for param in params.keys(): if isinstance(params[param], str): ret = scriptDetection(params[param]) if not restrictedHTML(params[param]): raise htmlForbiddenTag(params[param]) elif isinstance(params[param], list): for item in params[param]: if isinstance(item, str): ret = scriptDetection(item) if ret: raise htmlScriptError(item) if not restrictedHTML(item): raise htmlForbiddenTag(item) if ret: raise htmlScriptError(params[param]) elif level == 2: #raise error if script but style accepted ret = None for param in params.keys(): if isinstance(params[param], str): ret = scriptDetection(params[param], allowStyle=True) if ret: raise htmlScriptError(params[param]) ret = restrictedHTML(params[param]) if not ret: raise htmlForbiddenTag(params[param]) elif isinstance(params[param], list): for item in params[param]: if isinstance(item, str): ret = scriptDetection(item, allowStyle=True) if ret: raise htmlScriptError(item) ret = restrictedHTML(item) if not ret: raise htmlForbiddenTag(item) elif level == 3: # Absolutely no checks return
def sanitizationCheck(target, params, accessWrapper): # first make sure all params are utf-8 for param in params.keys(): if isinstance(params[param], str) and params[param] != "": params[param] = encodeUnicode(params[param]) if params[param] == "": raise MaKaCError( "Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8" ) elif isinstance(params[param], list): #the params is a list, check inside for i in range(len(params[param])): item = params[param][i] if isinstance(item, str) and item != "": params[param][i] = encodeUnicode(item) if params[param][i] == "": raise MaKaCError( "Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8" ) # then check the security level of data sent to the server # if no user logged in, then no html allowed if accessWrapper.getUser(): level = Config.getInstance().getSanitizationLevel() elif target and hasattr(target, "canModify") and target.canModify(accessWrapper): # not logged user, but use a modification key level = Config.getInstance().getSanitizationLevel() else: level = 0 if level not in range(4): level = 1 if level == 0: #Escape all HTML tags for param in params.keys(): if isinstance(params[param], str): #the params is a string params[param] = escape_html(params[param]) elif isinstance(params[param], list): #the params is a list, check inside for i in range(len(params[param])): item = params[param][i] if isinstance(item, str): params[param][i] = escape_html(item) # raise error if form or iframe tags are used elif level == 1: #level 1 or default #raise error if script or style detected ret = None for param in params.keys(): if isinstance(params[param], str): ret = scriptDetection(params[param]) if not restrictedHTML(params[param]): raise htmlForbiddenTag(params[param]) elif isinstance(params[param], list): for item in params[param]: if isinstance(item, str): ret = scriptDetection(item) if ret: raise htmlScriptError(item) if not restrictedHTML(item): raise htmlForbiddenTag(item) if ret: raise htmlScriptError(params[param]) elif level == 2: #raise error if script but style accepted ret = None for param in params.keys(): if isinstance(params[param], str): ret = scriptDetection(params[param], allowStyle=True) if ret: raise htmlScriptError(params[param]) ret = restrictedHTML(params[param]) if not ret: raise htmlForbiddenTag(params[param]) elif isinstance(params[param], list): for item in params[param]: if isinstance(item, str): ret = scriptDetection(item, allowStyle=True) if ret: raise htmlScriptError(item) ret = restrictedHTML(item) if not ret: raise htmlForbiddenTag(item) elif level == 3: # Absolutely no checks return