def _encodeUnicode(params): index = 0 for i in params: # params can be a list or a dictonary # we need to define k depending if it is a list or a dictonary # in order to be able to do such a operation: params[k] = something. if isinstance(params, dict): param = params[i] k = i else: param = i k = index # since we are looping a list, we need to increment the index to index += 1 # get the correct 'k' in the next iteration. if isinstance(param, str) and param != "": params[k] = encodeUnicode(param) if params[k] == "": raise MaKaCError(_("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8")) elif isinstance(param, list) or isinstance(param, dict): Sanitization._encodeUnicode(param)
def sanitizationCheck(target, params, accessWrapper): # first make sure all params are utf-8 for param in params.keys(): if isinstance(params[param], str) and params[param] != "": params[param] = encodeUnicode(params[param]) if params[param] == "": raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8") elif isinstance(params[param], list): #the params is a list, check inside for i in range(len(params[param])): item = params[param][i] if isinstance(item, str) and item != "": params[param][i] = encodeUnicode(item) if params[param][i] == "": raise MaKaCError("Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8") # then check the security level of data sent to the server # if no user logged in, then no html allowed if accessWrapper.getUser(): level = Config.getInstance().getSanitizationLevel() elif target and hasattr(target, "canModify") and target.canModify(accessWrapper): # not logged user, but use a modification key level = Config.getInstance().getSanitizationLevel() else: level = 0 if level not in range(4): level = 1 if level == 0: #Escape all HTML tags for param in params.keys(): if isinstance(params[param], str): #the params is a string params[param] = escape_html(params[param]) elif isinstance(params[param], list): #the params is a list, check inside for i in range(len(params[param])): item = params[param][i] if isinstance(item, str): params[param][i] = escape_html(item) # raise error if form or iframe tags are used elif level == 1: #level 1 or default #raise error if script or style detected ret = None for param in params.keys(): if isinstance(params[param], str): ret = scriptDetection(params[param]) if not restrictedHTML(params[param]): raise htmlForbiddenTag(params[param]) elif isinstance(params[param], list): for item in params[param]: if isinstance(item, str): ret = scriptDetection(item) if ret: raise htmlScriptError(item) if not restrictedHTML(item): raise htmlForbiddenTag(item) if ret: raise htmlScriptError(params[param]) elif level == 2: #raise error if script but style accepted ret = None for param in params.keys(): if isinstance(params[param], str): ret = scriptDetection(params[param], allowStyle=True) if ret: raise htmlScriptError(params[param]) ret = restrictedHTML(params[param]) if not ret: raise htmlForbiddenTag(params[param]) elif isinstance(params[param], list): for item in params[param]: if isinstance(item, str): ret = scriptDetection(item, allowStyle=True) if ret: raise htmlScriptError(item) ret = restrictedHTML(item) if not ret: raise htmlForbiddenTag(item) elif level == 3: # Absolutely no checks return
def escapeString(self, text): tmp = encodeUnicode(text, self._sourceEncoding) return saxutils.escape(tmp)
def escapeString(self,text): tmp = encodeUnicode(text, self._sourceEncoding) return saxutils.escape( tmp )
def sanitizationCheck(target, params, accessWrapper): # first make sure all params are utf-8 for param in params.keys(): if isinstance(params[param], str) and params[param] != "": params[param] = encodeUnicode(params[param]) if params[param] == "": raise MaKaCError( "Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8" ) elif isinstance(params[param], list): #the params is a list, check inside for i in range(len(params[param])): item = params[param][i] if isinstance(item, str) and item != "": params[param][i] = encodeUnicode(item) if params[param][i] == "": raise MaKaCError( "Your browser is using an encoding which is not recognized by Indico... Please make sure you set your browser encoding to utf-8" ) # then check the security level of data sent to the server # if no user logged in, then no html allowed if accessWrapper.getUser(): level = Config.getInstance().getSanitizationLevel() elif target and hasattr(target, "canModify") and target.canModify(accessWrapper): # not logged user, but use a modification key level = Config.getInstance().getSanitizationLevel() else: level = 0 if level not in range(4): level = 1 if level == 0: #Escape all HTML tags for param in params.keys(): if isinstance(params[param], str): #the params is a string params[param] = escape_html(params[param]) elif isinstance(params[param], list): #the params is a list, check inside for i in range(len(params[param])): item = params[param][i] if isinstance(item, str): params[param][i] = escape_html(item) # raise error if form or iframe tags are used elif level == 1: #level 1 or default #raise error if script or style detected ret = None for param in params.keys(): if isinstance(params[param], str): ret = scriptDetection(params[param]) if not restrictedHTML(params[param]): raise htmlForbiddenTag(params[param]) elif isinstance(params[param], list): for item in params[param]: if isinstance(item, str): ret = scriptDetection(item) if ret: raise htmlScriptError(item) if not restrictedHTML(item): raise htmlForbiddenTag(item) if ret: raise htmlScriptError(params[param]) elif level == 2: #raise error if script but style accepted ret = None for param in params.keys(): if isinstance(params[param], str): ret = scriptDetection(params[param], allowStyle=True) if ret: raise htmlScriptError(params[param]) ret = restrictedHTML(params[param]) if not ret: raise htmlForbiddenTag(params[param]) elif isinstance(params[param], list): for item in params[param]: if isinstance(item, str): ret = scriptDetection(item, allowStyle=True) if ret: raise htmlScriptError(item) ret = restrictedHTML(item) if not ret: raise htmlForbiddenTag(item) elif level == 3: # Absolutely no checks return
def _lt(self, text): return "\\n".join(encodeUnicode(text).splitlines())