def validate_start_url(value: str, varprefix: str) -> None:
if not is_allowed_url(value):
raise MKUserError(
varprefix,
_("The given value is not allowed. You may only configure "
"relative URLs like <tt>dashboard.py?name=my_dashboard</tt>."),
)
def get_url_input(self, varname: str, deflt: Optional[str] = None) -> str:
"""Helper function to retrieve a URL from HTTP parameters
This is mostly used to the "back url" which can then be used to create
a link to the previous page. For this kind of functionality it is
necessary to restrict the URLs to prevent different attacks on users.
In case the parameter is not given or is not valid the deflt URL will
be used. In case no deflt URL is given a MKUserError() is raised.
"""
if not self.has_var(varname):
if deflt is not None:
return deflt
raise MKUserError(varname,
_('The parameter "%s" is missing.') % varname)
url = self.var(varname)
assert url is not None
if not utils.is_allowed_url(url):
if deflt:
return deflt
raise MKUserError(
varname,
_('The parameter "%s" is not a valid URL.') % varname)
return url
def _get_start_url():
# type: () -> str
default_start_url = config.user.get_attribute("start_url", config.start_url) or config.start_url
if not utils.is_allowed_url(default_start_url):
default_start_url = "dashboard.py"
return html.get_url_input("start_url", default_start_url)
def _unescape_link(escaped_str: str) -> str:
"""helper for escape_text to unescape links
all `</a>` tags are unescaped, even the ones with no opening...
>>> _unescape_link('</a>')
'</a>'
>>> _unescape_link('foo<a href="">bar</a>foobar')
'foo<a href="">bar</a>foobar'
>>> _unescape_link('foo<a href="mailto:[email protected]">bar')
'foo<a href="mailto:[email protected]">bar'
"""
escaped_str = _CLOSING_A.sub(r"</a>", escaped_str)
for a_href in _A_HREF.finditer(escaped_str):
href = a_href.group(1)
if not href:
continue
if not is_allowed_url(
href, cross_domain=True, schemes=["http", "https", "mailto"]):
continue # Do not unescape links containing disallowed URLs
target = a_href.group(2)
if target:
unescaped_tag = '<a href="%s" target="%s">' % (href, target)
else:
unescaped_tag = '<a href="%s">' % href
escaped_str = escaped_str.replace(a_href.group(0), unescaped_tag)
return escaped_str
def test_is_allowed_url_regression(url, expected):
"""Test for allowed urls
is_allowed_url has also several doctests
Reasons for this test:
- Werk 13197
"""
assert is_allowed_url(url) == expected
def validate_url(cls, value: str, varprefix: str) -> None:
if is_allowed_url(value, cross_domain=True, schemes=["http", "https"]):
return
raise MKUserError(varprefix,
_("This URL ist not allowed to be used as bookmark"))
def _get_start_url() -> str:
default_start_url = user.start_url or config.start_url
if not utils.is_allowed_url(default_start_url):
default_start_url = "dashboard.py"
return request.get_url_input("start_url", default_start_url)
