def create_link(cls,
user: User,
link_url: str,
description: Optional[str] = None):
url_link_unquoted = unquote(link_url)
parsed_url = urlparse(url_link_unquoted)
if not parsed_url.scheme and not parsed_url.netloc:
raise ValueError("Invalid linked url")
if not description:
description = parsed_url.netloc
else:
description = squeeze(description)
description = escape_silent(description)
description = str(description)
try:
link_icon_id = LinkIcon.get_or_create_icon(parsed_url).icon_id
except ValueError:
link_icon_id = None
new_link = cls(user_id=user.user_id,
link_url=url_link_unquoted,
description=description,
icon_id=link_icon_id)
db.commit()
return new_link
def update_user_name(self, name: str) -> None:
name = squeeze(name)
name = escape_silent(name)
name = str(name)
if len(name) == 0:
raise ValueError("Invalid name length")
# TODO: remove cached page and update image
self.name = name
db.commit()
def send_email(request, author, to, subject, message, ignore_block=False, domain_override=None):
if not isinstance(to, (list, tuple, set)):
to = [x.strip() for x in to.split(',')]
to = [unicode(x) for x in to if x]
dboptions = request.dboptions
TrainingMode = dboptions.TrainingMode
NoEmail = dboptions.NoEmail
domain = domain_override or request.pageinfo.DbArea
if domain == const.DM_VOL:
from_email = dboptions.DefaultEmailVOL or dboptions.DefaultEmailCIC
from_name = dboptions.DefaultEmailNameVOL or dboptions.DefaultEmailNameCIC or u''
else:
from_email = dboptions.DefaultEmailCIC or dboptions.DefaultEmailVOL
from_name = dboptions.DefaultEmailNameCIC or dboptions.DefaultEmailNameVOL or u''
if from_email:
reply = author
author = parseaddr(author)
author = formataddr((author[0] or from_name, from_email))
else:
reply = None
if TrainingMode:
# XXX Fill message
request.email_notice(
Markup(
'''
<p>Sending Email...<br><br>
<strong>From:</strong> %s<br><br>
<strong>To:</strong> %s<br><br>
<strong>Reply-To:</strong> %s<br><br>
<strong>Subject:</strong> %s<br><br>
<strong>Message:</strong><br>%s</p>'''
) % (
author, ', '.join(to), reply or '',
subject,
escape_silent(message).replace('\n', Markup('<br>')).replace('\r', '')))
elif not ignore_block and NoEmail:
# XXX Fill message
request.email_notice(_('This database has been configured to block all outgoing Email.', request))
if (not TrainingMode or ignore_block) and (not NoEmail or ignore_block) and to and author:
mailer = _get_mailer(request)
args = dict(author=[unicode(author)], to=to, subject=subject, plain=message)
if reply:
args['reply'] = [unicode(reply)]
message = Message(**args)
mailer.send(message)
def send(self, message):
markup = Markup('''\
<p>Sending Email...<br><br>
<strong>From:</strong> %s<br><br>
<strong>To:</strong> %s<br><br>
<strong>Reply-To:</strong> %s<br><br>
<strong>Subject:</strong> %s<br><br>
<strong>Message:</strong><br>%s</p>''') % (
message.author, ', '.join(unicode(x)
for x in message.to), message.reply
or '', message.subject, escape_silent(message.plain).replace(
'\n', Markup('<br>')).replace('\r', ''))
log.debug('Sending email %s', markup)
self.request.session.flash(markup, 'email_messages')
def paste(self, text, richText):
# time.sleep(0.05)
content = self.clipboard.get_with_rich_text()
time.sleep(0.05)
if richText:
self.clipboard.set_with_rich_text(text, richText)
else:
# self.clipboard.set_text(text)
self.clipboard.set_with_rich_text(text, str(escape_silent(text)))
time.sleep(0.05)
self.keyboard.keypress(Key.KEY_CTRL, state=KeyState.PRESSED)
self.keyboard.keypress(Key.KEY_V)
self.keyboard.keypress(Key.KEY_CTRL, state=KeyState.RELEASED)
time.sleep(0.3)
self.clipboard.set_with_rich_text(*(str(s) for s in content))
def create_user(cls, user_id: str, name: str):
if not whitespace_re.search(name):
raise cls.exc.InvalidNameError("Invalid name")
user_id = squeeze(user_id)
user_id = escape_silent(user_id)
user_id = str(user_id)
if len(user_id) == 0:
raise cls.exc.InvalidIDError(
"Invalid user_id length after cleaning")
new_user = cls(user_id=user_id)
db.commit()
return new_user
def send(self, message):
markup = Markup(
'''\
<p>Sending Email...<br><br>
<strong>From:</strong> %s<br><br>
<strong>To:</strong> %s<br><br>
<strong>Reply-To:</strong> %s<br><br>
<strong>Subject:</strong> %s<br><br>
<strong>Message:</strong><br>%s</p>'''
) % (
message.author, ', '.join(unicode(x) for x in message.to), message.reply or '',
message.subject, escape_silent(message.plain)
.replace('\n', Markup('<br>'))
.replace('\r', '')
)
log.debug('Sending email %s', markup)
self.request.session.flash(markup, 'email_messages')
def input(self, type, name, value=None, **kwargs):
""" Renders a generic html input """
if "name" not in kwargs and name is not None:
kwargs['name'] = name
id = self._get_id_attribute(name, kwargs)
if id is not None:
kwargs['id'] = id
if type not in self.SKIP_VALUE_TYPES:
kwargs['value'] = escape_silent(
self._get_value_attribute(name, value))
kwargs.update({
'type': type,
})
return Markup('<input {} />'.format(self._compile_attributes(kwargs)))
def format_attrs(**attrs):
"""Format HTML attributes into a string of ' key="value"' pairs which
can be inserted into an HTML tag.
The attributes are sorted alphabetically. If any value is None, the entire
attribute is suppressed.
Usage:
>>> format_attrs(p=2, q=3) == u' p="2" q="3"'
True
>>> format_attrs(p=2, q=None) == u' p="2"'
True
>>> format_attrs(p=None) == u''
True
"""
strings = [u' %s="%s"' % (attr, escape_silent(value))
for attr, value in sorted(attrs.items())
if value is not None]
return u''.join(strings)
def format_attrs(**attrs):
"""Format HTML attributes into a string of ' key="value"' pairs which
can be inserted into an HTML tag.
The attributes are sorted alphabetically. If any value is None, the entire
attribute is suppressed.
Usage:
>>> format_attrs(p=2, q=3) == u' p="2" q="3"'
True
>>> format_attrs(p=2, q=None) == u' p="2"'
True
>>> format_attrs(p=None) == u''
True
"""
strings = [' {}="{}"'.format(attr, escape_silent(value))
for attr, value in sorted(attrs.items())
if value is not None]
return ''.join(strings)
def test_escape_silent():
assert escape_silent(None) == Markup()
assert escape(None) == Markup(None)
assert escape_silent("<foo>") == Markup(u"<foo>")
def update_description(self, text: str) -> None:
self.description = str(escape_silent(text))
db.commit()
def test_escape_silent(self):
assert escape_silent(None) == Markup()
assert escape(None) == Markup(None)
assert escape_silent('<foo>') == Markup('<foo>')
def test_escape_silent(self):
assert escape_silent(None) == Markup()
assert escape(None) == Markup(None)
assert escape_silent('<foo>') == Markup(u'<foo>')
def sanitise_text(self, data: dict, **kw) -> dict:
data['text'] = markupsafe.escape_silent(data['text'])
return data
def escape(value):
return escape_silent(to_unicode(value))
def test_escape_silent(self):
assert escape_silent(None) == Markup()
assert escape(None) == Markup(None)
assert escape_silent("<foo>") == Markup(u"<foo>")
def send_email(request,
author,
to,
subject,
message,
ignore_block=False,
domain_override=None):
if not isinstance(to, (list, tuple, set)):
to = [x.strip() for x in to.split(",")]
to = [str(x) for x in to if x]
dboptions = request.dboptions
TrainingMode = dboptions.TrainingMode
NoEmail = dboptions.NoEmail
domain = domain_override or request.pageinfo.DbArea
if domain == const.DM_VOL:
from_email = dboptions.DefaultEmailVOL or dboptions.DefaultEmailCIC
from_name = dboptions.DefaultEmailNameVOL or dboptions.DefaultEmailNameCIC or ""
else:
from_email = dboptions.DefaultEmailCIC or dboptions.DefaultEmailVOL
from_name = dboptions.DefaultEmailNameCIC or dboptions.DefaultEmailNameVOL or ""
if from_email:
reply = author
author = parseaddr(author)
author = formataddr((author[0] or from_name, from_email))
else:
reply = None
if TrainingMode:
# XXX Fill message
request.email_notice(
Markup("""
<p>Sending Email...<br><br>
<strong>From:</strong> %s<br><br>
<strong>To:</strong> %s<br><br>
<strong>Reply-To:</strong> %s<br><br>
<strong>Subject:</strong> %s<br><br>
<strong>Message:</strong><br>%s</p>""") % (
author,
", ".join(to),
reply or "",
subject,
escape_silent(message).replace("\n", Markup("<br>")).replace(
"\r", ""),
))
elif not ignore_block and NoEmail:
# XXX Fill message
request.email_notice(
_("This database has been configured to block all outgoing Email.",
request))
if ((not TrainingMode or ignore_block) and (not NoEmail or ignore_block)
and to and author):
mailer = _get_mailer(request)
args = dict(author=[str(author)],
to=to,
subject=subject,
plain=message)
if reply:
args["reply"] = [str(reply)]
message = Message(**args)
mailer.send(message)
def test():
ts = TAINTED_STRING
# class `Markup` can be used for things that are already safe.
# if used with any text in a string operation, that other text will be escaped.
#
# see https://markupsafe.palletsprojects.com/en/2.0.x/
m_unsafe = Markup(TAINTED_STRING)
m_safe = Markup(SAFE)
# this 3 tests might look strange, but the purpose is to check we still treat `ts`
# as tainted even after it has been escaped in some place. This _might_ not be the
# case since data-flow library has taint-steps from adjacent uses...
ensure_tainted(ts) # $ tainted
ensure_not_tainted(
escape(ts)) # $ escapeInput=ts escapeKind=html escapeOutput=escape(..)
ensure_tainted(ts) # $ tainted
ensure_tainted(
ts, # $ tainted
m_unsafe, # $ tainted
m_unsafe +
SAFE, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
SAFE +
m_unsafe, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
m_unsafe.format(
SAFE
), # $ escapeInput=SAFE escapeKind=html escapeOutput=m_unsafe.format(..) MISSING: tainted
m_unsafe %
SAFE, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
m_unsafe +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
m_safe.format(m_unsafe), # $ tainted
m_safe % m_unsafe, # $ tainted
escape(ts).unescape(
), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..) MISSING: tainted
escape_silent(ts).unescape(
), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..) MISSING: tainted
)
ensure_not_tainted(
escape(ts), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..)
escape_silent(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..)
Markup.escape(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=Markup.escape(..)
m_safe,
m_safe +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
ts +
m_safe, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
m_safe.format(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=m_safe.format(..)
m_safe %
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
escape(ts) +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape(..)
escape_silent(ts) +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape_silent(..)
Markup.escape(ts) +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=Markup.escape(..)
)
# flask re-exports these, as:
# flask.escape = markupsafe.escape
# flask.Markup = markupsafe.Markup
import flask
ensure_tainted(
flask.Markup(ts), # $ tainted
)
ensure_not_tainted(
flask.escape(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=flask.escape(..)
flask.Markup.escape(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=flask.Markup.escape(..)
)
