def validate_start_url(value: str, varprefix: str) -> None: if not is_allowed_url(value): raise MKUserError( varprefix, _("The given value is not allowed. You may only configure " "relative URLs like <tt>dashboard.py?name=my_dashboard</tt>."), )
def get_url_input(self, varname: str, deflt: Optional[str] = None) -> str: """Helper function to retrieve a URL from HTTP parameters This is mostly used to the "back url" which can then be used to create a link to the previous page. For this kind of functionality it is necessary to restrict the URLs to prevent different attacks on users. In case the parameter is not given or is not valid the deflt URL will be used. In case no deflt URL is given a MKUserError() is raised. """ if not self.has_var(varname): if deflt is not None: return deflt raise MKUserError(varname, _('The parameter "%s" is missing.') % varname) url = self.var(varname) assert url is not None if not utils.is_allowed_url(url): if deflt: return deflt raise MKUserError( varname, _('The parameter "%s" is not a valid URL.') % varname) return url
def _get_start_url(): # type: () -> str default_start_url = config.user.get_attribute("start_url", config.start_url) or config.start_url if not utils.is_allowed_url(default_start_url): default_start_url = "dashboard.py" return html.get_url_input("start_url", default_start_url)
def _unescape_link(escaped_str: str) -> str: """helper for escape_text to unescape links all `</a>` tags are unescaped, even the ones with no opening... >>> _unescape_link('</a>') '</a>' >>> _unescape_link('foo<a href="">bar</a>foobar') 'foo<a href="">bar</a>foobar' >>> _unescape_link('foo<a href="mailto:[email protected]">bar') 'foo<a href="mailto:[email protected]">bar' """ escaped_str = _CLOSING_A.sub(r"</a>", escaped_str) for a_href in _A_HREF.finditer(escaped_str): href = a_href.group(1) if not href: continue if not is_allowed_url( href, cross_domain=True, schemes=["http", "https", "mailto"]): continue # Do not unescape links containing disallowed URLs target = a_href.group(2) if target: unescaped_tag = '<a href="%s" target="%s">' % (href, target) else: unescaped_tag = '<a href="%s">' % href escaped_str = escaped_str.replace(a_href.group(0), unescaped_tag) return escaped_str
def test_is_allowed_url_regression(url, expected): """Test for allowed urls is_allowed_url has also several doctests Reasons for this test: - Werk 13197 """ assert is_allowed_url(url) == expected
def validate_url(cls, value: str, varprefix: str) -> None: if is_allowed_url(value, cross_domain=True, schemes=["http", "https"]): return raise MKUserError(varprefix, _("This URL ist not allowed to be used as bookmark"))
def _get_start_url() -> str: default_start_url = user.start_url or config.start_url if not utils.is_allowed_url(default_start_url): default_start_url = "dashboard.py" return request.get_url_input("start_url", default_start_url)