def create_link(cls, user: User, link_url: str, description: Optional[str] = None): url_link_unquoted = unquote(link_url) parsed_url = urlparse(url_link_unquoted) if not parsed_url.scheme and not parsed_url.netloc: raise ValueError("Invalid linked url") if not description: description = parsed_url.netloc else: description = squeeze(description) description = escape_silent(description) description = str(description) try: link_icon_id = LinkIcon.get_or_create_icon(parsed_url).icon_id except ValueError: link_icon_id = None new_link = cls(user_id=user.user_id, link_url=url_link_unquoted, description=description, icon_id=link_icon_id) db.commit() return new_link
def update_user_name(self, name: str) -> None: name = squeeze(name) name = escape_silent(name) name = str(name) if len(name) == 0: raise ValueError("Invalid name length") # TODO: remove cached page and update image self.name = name db.commit()
def send_email(request, author, to, subject, message, ignore_block=False, domain_override=None): if not isinstance(to, (list, tuple, set)): to = [x.strip() for x in to.split(',')] to = [unicode(x) for x in to if x] dboptions = request.dboptions TrainingMode = dboptions.TrainingMode NoEmail = dboptions.NoEmail domain = domain_override or request.pageinfo.DbArea if domain == const.DM_VOL: from_email = dboptions.DefaultEmailVOL or dboptions.DefaultEmailCIC from_name = dboptions.DefaultEmailNameVOL or dboptions.DefaultEmailNameCIC or u'' else: from_email = dboptions.DefaultEmailCIC or dboptions.DefaultEmailVOL from_name = dboptions.DefaultEmailNameCIC or dboptions.DefaultEmailNameVOL or u'' if from_email: reply = author author = parseaddr(author) author = formataddr((author[0] or from_name, from_email)) else: reply = None if TrainingMode: # XXX Fill message request.email_notice( Markup( ''' <p>Sending Email...<br><br> <strong>From:</strong> %s<br><br> <strong>To:</strong> %s<br><br> <strong>Reply-To:</strong> %s<br><br> <strong>Subject:</strong> %s<br><br> <strong>Message:</strong><br>%s</p>''' ) % ( author, ', '.join(to), reply or '', subject, escape_silent(message).replace('\n', Markup('<br>')).replace('\r', ''))) elif not ignore_block and NoEmail: # XXX Fill message request.email_notice(_('This database has been configured to block all outgoing Email.', request)) if (not TrainingMode or ignore_block) and (not NoEmail or ignore_block) and to and author: mailer = _get_mailer(request) args = dict(author=[unicode(author)], to=to, subject=subject, plain=message) if reply: args['reply'] = [unicode(reply)] message = Message(**args) mailer.send(message)
def send(self, message): markup = Markup('''\ <p>Sending Email...<br><br> <strong>From:</strong> %s<br><br> <strong>To:</strong> %s<br><br> <strong>Reply-To:</strong> %s<br><br> <strong>Subject:</strong> %s<br><br> <strong>Message:</strong><br>%s</p>''') % ( message.author, ', '.join(unicode(x) for x in message.to), message.reply or '', message.subject, escape_silent(message.plain).replace( '\n', Markup('<br>')).replace('\r', '')) log.debug('Sending email %s', markup) self.request.session.flash(markup, 'email_messages')
def paste(self, text, richText): # time.sleep(0.05) content = self.clipboard.get_with_rich_text() time.sleep(0.05) if richText: self.clipboard.set_with_rich_text(text, richText) else: # self.clipboard.set_text(text) self.clipboard.set_with_rich_text(text, str(escape_silent(text))) time.sleep(0.05) self.keyboard.keypress(Key.KEY_CTRL, state=KeyState.PRESSED) self.keyboard.keypress(Key.KEY_V) self.keyboard.keypress(Key.KEY_CTRL, state=KeyState.RELEASED) time.sleep(0.3) self.clipboard.set_with_rich_text(*(str(s) for s in content))
def create_user(cls, user_id: str, name: str): if not whitespace_re.search(name): raise cls.exc.InvalidNameError("Invalid name") user_id = squeeze(user_id) user_id = escape_silent(user_id) user_id = str(user_id) if len(user_id) == 0: raise cls.exc.InvalidIDError( "Invalid user_id length after cleaning") new_user = cls(user_id=user_id) db.commit() return new_user
def send(self, message): markup = Markup( '''\ <p>Sending Email...<br><br> <strong>From:</strong> %s<br><br> <strong>To:</strong> %s<br><br> <strong>Reply-To:</strong> %s<br><br> <strong>Subject:</strong> %s<br><br> <strong>Message:</strong><br>%s</p>''' ) % ( message.author, ', '.join(unicode(x) for x in message.to), message.reply or '', message.subject, escape_silent(message.plain) .replace('\n', Markup('<br>')) .replace('\r', '') ) log.debug('Sending email %s', markup) self.request.session.flash(markup, 'email_messages')
def input(self, type, name, value=None, **kwargs): """ Renders a generic html input """ if "name" not in kwargs and name is not None: kwargs['name'] = name id = self._get_id_attribute(name, kwargs) if id is not None: kwargs['id'] = id if type not in self.SKIP_VALUE_TYPES: kwargs['value'] = escape_silent( self._get_value_attribute(name, value)) kwargs.update({ 'type': type, }) return Markup('<input {} />'.format(self._compile_attributes(kwargs)))
def format_attrs(**attrs): """Format HTML attributes into a string of ' key="value"' pairs which can be inserted into an HTML tag. The attributes are sorted alphabetically. If any value is None, the entire attribute is suppressed. Usage: >>> format_attrs(p=2, q=3) == u' p="2" q="3"' True >>> format_attrs(p=2, q=None) == u' p="2"' True >>> format_attrs(p=None) == u'' True """ strings = [u' %s="%s"' % (attr, escape_silent(value)) for attr, value in sorted(attrs.items()) if value is not None] return u''.join(strings)
def format_attrs(**attrs): """Format HTML attributes into a string of ' key="value"' pairs which can be inserted into an HTML tag. The attributes are sorted alphabetically. If any value is None, the entire attribute is suppressed. Usage: >>> format_attrs(p=2, q=3) == u' p="2" q="3"' True >>> format_attrs(p=2, q=None) == u' p="2"' True >>> format_attrs(p=None) == u'' True """ strings = [' {}="{}"'.format(attr, escape_silent(value)) for attr, value in sorted(attrs.items()) if value is not None] return ''.join(strings)
def test_escape_silent(): assert escape_silent(None) == Markup() assert escape(None) == Markup(None) assert escape_silent("<foo>") == Markup(u"<foo>")
def update_description(self, text: str) -> None: self.description = str(escape_silent(text)) db.commit()
def test_escape_silent(self): assert escape_silent(None) == Markup() assert escape(None) == Markup(None) assert escape_silent('<foo>') == Markup('<foo>')
def test_escape_silent(self): assert escape_silent(None) == Markup() assert escape(None) == Markup(None) assert escape_silent('<foo>') == Markup(u'<foo>')
def sanitise_text(self, data: dict, **kw) -> dict: data['text'] = markupsafe.escape_silent(data['text']) return data
def escape(value): return escape_silent(to_unicode(value))
def test_escape_silent(self): assert escape_silent(None) == Markup() assert escape(None) == Markup(None) assert escape_silent("<foo>") == Markup(u"<foo>")
def send_email(request, author, to, subject, message, ignore_block=False, domain_override=None): if not isinstance(to, (list, tuple, set)): to = [x.strip() for x in to.split(",")] to = [str(x) for x in to if x] dboptions = request.dboptions TrainingMode = dboptions.TrainingMode NoEmail = dboptions.NoEmail domain = domain_override or request.pageinfo.DbArea if domain == const.DM_VOL: from_email = dboptions.DefaultEmailVOL or dboptions.DefaultEmailCIC from_name = dboptions.DefaultEmailNameVOL or dboptions.DefaultEmailNameCIC or "" else: from_email = dboptions.DefaultEmailCIC or dboptions.DefaultEmailVOL from_name = dboptions.DefaultEmailNameCIC or dboptions.DefaultEmailNameVOL or "" if from_email: reply = author author = parseaddr(author) author = formataddr((author[0] or from_name, from_email)) else: reply = None if TrainingMode: # XXX Fill message request.email_notice( Markup(""" <p>Sending Email...<br><br> <strong>From:</strong> %s<br><br> <strong>To:</strong> %s<br><br> <strong>Reply-To:</strong> %s<br><br> <strong>Subject:</strong> %s<br><br> <strong>Message:</strong><br>%s</p>""") % ( author, ", ".join(to), reply or "", subject, escape_silent(message).replace("\n", Markup("<br>")).replace( "\r", ""), )) elif not ignore_block and NoEmail: # XXX Fill message request.email_notice( _("This database has been configured to block all outgoing Email.", request)) if ((not TrainingMode or ignore_block) and (not NoEmail or ignore_block) and to and author): mailer = _get_mailer(request) args = dict(author=[str(author)], to=to, subject=subject, plain=message) if reply: args["reply"] = [str(reply)] message = Message(**args) mailer.send(message)
def test(): ts = TAINTED_STRING # class `Markup` can be used for things that are already safe. # if used with any text in a string operation, that other text will be escaped. # # see https://markupsafe.palletsprojects.com/en/2.0.x/ m_unsafe = Markup(TAINTED_STRING) m_safe = Markup(SAFE) # this 3 tests might look strange, but the purpose is to check we still treat `ts` # as tainted even after it has been escaped in some place. This _might_ not be the # case since data-flow library has taint-steps from adjacent uses... ensure_tainted(ts) # $ tainted ensure_not_tainted( escape(ts)) # $ escapeInput=ts escapeKind=html escapeOutput=escape(..) ensure_tainted(ts) # $ tainted ensure_tainted( ts, # $ tainted m_unsafe, # $ tainted m_unsafe + SAFE, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted SAFE + m_unsafe, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted m_unsafe.format( SAFE ), # $ escapeInput=SAFE escapeKind=html escapeOutput=m_unsafe.format(..) MISSING: tainted m_unsafe % SAFE, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted m_unsafe + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr MISSING: tainted m_safe.format(m_unsafe), # $ tainted m_safe % m_unsafe, # $ tainted escape(ts).unescape( ), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..) MISSING: tainted escape_silent(ts).unescape( ), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..) MISSING: tainted ) ensure_not_tainted( escape(ts), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..) escape_silent( ts ), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..) Markup.escape( ts ), # $ escapeInput=ts escapeKind=html escapeOutput=Markup.escape(..) m_safe, m_safe + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr ts + m_safe, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr m_safe.format( ts ), # $ escapeInput=ts escapeKind=html escapeOutput=m_safe.format(..) m_safe % ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escape(ts) + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape(..) escape_silent(ts) + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape_silent(..) Markup.escape(ts) + ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=Markup.escape(..) ) # flask re-exports these, as: # flask.escape = markupsafe.escape # flask.Markup = markupsafe.Markup import flask ensure_tainted( flask.Markup(ts), # $ tainted ) ensure_not_tainted( flask.escape( ts ), # $ escapeInput=ts escapeKind=html escapeOutput=flask.escape(..) flask.Markup.escape( ts ), # $ escapeInput=ts escapeKind=html escapeOutput=flask.Markup.escape(..) )