def line(content, match):
"""Report occurrences of MATCH in CONTENT within their line"""
start_of_line = match.start()
while start_of_line > 0 and content[start_of_line - 1] != "\n":
start_of_line = start_of_line - 1
end_of_line = match.end()
while end_of_line < len(content) and content[end_of_line] != "\n":
end_of_line = end_of_line + 1
line_number = 1
i = 0
while i < match.start():
if content[i] == "\n":
line_number = line_number + 1
i = i + 1
return (
` line_number `
+ ": <tt>"
+ escape(content[start_of_line : match.start()])
+ "<strong>"
+ escape(content[match.start() : match.end()])
+ "</strong>"
+ escape(content[match.end() : end_of_line])
+ "</tt>"
)
def add_module(request, revision_id):
"""
Add new module to the PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to add a module to package (%s) by "
"non-owner (%s)" % (id_number, request.user))
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
filename = request.POST.get('filename')
mod = Module(
filename=filename,
author=request.user,
code="""// %s.js - %s's module
// author: %s""" % (filename, revision.package.full_name,
request.user.get_profile())
)
try:
mod.save()
revision.module_add(mod)
except FilenameExistException, err:
mod.delete()
return HttpResponseForbidden(escape(str(err)))
def package_add_module(r, id_number, type_id,
revision_number=None, version_name=None):
"""
Add new module to the PackageRevision
"""
revision = get_package_revision(id_number, type_id, revision_number,
version_name)
if r.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to add a module to package (%s) by "
"non-owner (%s)" % (id_number, r.user))
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
filename = pathify(r.POST.get('filename'))
mod = Module(
filename=filename,
author=r.user,
code="""// %s.js - %s's module
// author: %s""" % (filename, revision.package.full_name, r.user.get_profile())
)
try:
mod.save()
revision.module_add(mod)
except FilenameExistException, err:
mod.delete()
return HttpResponseForbidden(escape(str(err)))
def sandbox(self):
extra_fields = u''.join(['<input type="hidden" name="%s" value="%s" />' % \
(escape(name), escape(value)) for name, value in self.extra_fields.iteritems()])
if self.button_type == 'bootstrap':
return mark_safe(FORM_HTML % (SANDBOX_POSTBACK_ENDPOINT, self.as_p(), extra_fields, self.button_class, self.button_text))
else:
return mark_safe(IMAGEBUTTON_FORM_HTML % (SANDBOX_POSTBACK_ENDPOINT, self.as_p(), extra_fields, self.get_image()))
def test_contact_form_escaped_tags(admin, rf, mailoutbox):
request = rf.request()
request.user = admin
request.META['REMOTE_ADDR'] = '127.0.0.1'
recipient_email = settings.POOTLE_CONTACT_EMAIL
specified_subject = "My <tag> subject"
subject = "[%s] %s" % (settings.POOTLE_TITLE, specified_subject)
data = {
'name': admin.full_name,
'email': admin.email,
'email_subject': specified_subject,
'body': "First <tag> of message.",
}
form = ContactForm(request=request, data=data)
assert form.is_valid()
form.save()
assert len(mailoutbox) == 1
message = mailoutbox[0]
assert message.from_email == settings.DEFAULT_FROM_EMAIL
reply_to = u'%s <%s>' % (data['name'], data['email'])
assert reply_to == message.extra_headers['Reply-To']
assert [recipient_email] == message.recipients()
assert escape(subject) == message.subject
assert escape(data['body']) in message.body
assert "Your question or comment:" not in message.body
def test_report_error_form_escaped_tags(admin, rf, mailoutbox):
request = rf.request()
request.user = admin
request.META['REMOTE_ADDR'] = '127.0.0.1'
unit_target = "some <tag>"
unit = Unit.objects.select_related(
'store__translation_project__project',
'store__translation_project__language',
).last()
unit.target = unit_target
unit.save()
context_ctx = {
'unit': unit,
'unit_absolute_url':
request.build_absolute_uri(unit.get_translate_url()),
}
context = render_to_string('contact_form/report_form_context.txt',
context=context_ctx)
context = context.strip()
data = {
'name': admin.full_name,
'email': admin.email,
'context': context,
'body': "The string <tag> is wrong",
}
# Instantiate form and test.
form = ReportForm(request=request, initial=data, data=data, unit=unit)
assert form.is_valid()
form.save()
assert len(mailoutbox) == 1
message = mailoutbox[0]
assert escape(unit_target) in message.body
assert escape(data['body']) in message.body
def response_add(self, request, obj, post_url_continue='../%s/'):
""" Determines the HttpResponse for the add_view stage. """
opts = obj._meta
pk_value = obj._get_pk_val()
msg = "Item(s) were added successfully."
# Here, we distinguish between different save types by checking for
# the presence of keys in request.POST.
if request.POST.has_key("_continue"):
self.message_user(request, msg + ' ' + _("You may edit it again below."))
if request.POST.has_key("_popup"):
post_url_continue += "?_popup=1"
return HttpResponseRedirect(post_url_continue % pk_value)
if request.POST.has_key("_popup"):
return HttpResponse(
'<script type="text/javascript">opener.dismissAddAnotherPopup(window, "%s", "%s");'
'</script>' % (escape(pk_value), escape(obj)))
elif request.POST.has_key("_addanother"):
self.message_user(request, msg + ' ' + (_("You may add another %s below.") %
force_unicode(opts.verbose_name)))
return HttpResponseRedirect(request.path)
else:
self.message_user(request, msg)
for item in Item.objects.filter(created=obj):
if not item.user:
item.user = request.user
item.save()
return HttpResponseRedirect(reverse("admin:todo_item_changelist"))
def package_add_module(r, id_number, type_id,
revision_number=None, version_name=None):
"""
Add new module to the PackageRevision
"""
revision = get_package_revision(id_number, type_id, revision_number,
version_name)
if r.user.pk != revision.author.pk:
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
filename = slugify(r.POST.get('filename'))
mod = Module(
filename=filename,
author=r.user,
code="""// %s.js - %s's module
// author: %s""" % (filename, revision.package.full_name, r.user.get_profile())
)
try:
mod.save()
revision.module_add(mod)
except FilenameExistException, err:
mod.delete()
return HttpResponseForbidden(escape(str(err)))
def prepare_mail(template, name, title, url, initiator):
from django.conf import settings
abuse = settings.ABUSE_EMAIL
site = settings.SITE_DOMAIN
# Plain text email
body_params = { 'name': name,
'title_and_link': '{{ title_and_link }}',
'abuse_address': abuse,
'site_name': settings.SITE_NAME,
'site_link': settings.SITE_BASE + '/',
'initiator': initiator }
body = render_to_string(template, body_params)
body = re.sub('\n(\n)+', '\n\n', body)
body = wrap(body.strip(), 74) + '\n'
body = body.replace('{{ title_and_link }}',
' %s\n %s' % (title, url))
# HTML email
name = escape(name)
title = escape(title)
initiator = escape(initiator)
html_params = { 'name': name,
'title_and_link': ' <a href="%s" style="color:blue"><b>%s</b></a>' % (url, title),
'abuse_address': '<a href="mailto:%s" style="color:blue">%s</a>' % (abuse, abuse),
'site_name': settings.SITE_NAME,
'site_link': '<a href="%s/" style="color:blue">%s</a>' % (settings.SITE_BASE, settings.SITE_DOMAIN),
'initiator': initiator }
html = render_to_string(template, html_params)
html = re.sub('\n(\n)+', '\n\n', html.strip())
html = html.replace('\n\n', '<p>').replace('\n', '<br>')
html = '<div style="font:14px Arial,sans-serif;color:#000;background:#fff;max-width:420px"><p><img src="%s" alt="%s"><p>%s</div>\n' % (settings.EMAIL_LOGO, settings.SITE_NAME, html)
return {'body': body, 'html': html}
def package_add_module(r, id_number, type_id, revision_number=None, version_name=None):
"""
Add new module to the PackageRevision
"""
revision = get_package_revision(id_number, type_id, revision_number, version_name)
if r.user.pk != revision.author.pk:
log_msg = "User %s wanted to add a module to not his own Package %s." % (r.user, id_number)
log = commonware.log.getLogger("f.jetpack")
log.debug(log_msg)
return HttpResponseForbidden("You are not the author of this %s" % escape(revision.package.get_type_name()))
filename = slugify(r.POST.get("filename"))
mod = Module(
filename=filename,
author=r.user,
code="""// %s.js - %s's module
// author: %s"""
% (filename, revision.package.full_name, r.user.get_profile()),
)
try:
mod.save()
revision.module_add(mod)
except FilenameExistException, err:
mod.delete()
return HttpResponseForbidden(escape(str(err)))
def url_column(self):
if self.type in ['exact_to_view', 'exact_to_redirect',]:
column = '<pre><span>^</span>{0}<span>$</span></pre>'.format(escape(self.url))
elif self.type in ['regex_to_view', 'regex_to_redirect',]:
column = '<pre class="regex">{0}</pre>'.format(escape(self.url))
else:
column = '<pre>{0}</pre>'.format(self.url)
return column
def url_column(self):
if self.type in ["exact_to_view", "exact_to_temporary_redirect", "exact_to_permanent_redirect"]:
column = "<pre><span>^</span>{0}<span>$</span></pre>".format(escape(self.url))
elif self.type in ["regex_to_view", "regex_to_temporary_redirect", "regex_to_permanent_redirect"]:
column = '<pre class="regex">{0}</pre>'.format(escape(self.url))
else:
column = "<pre>{0}</pre>".format(self.url)
return column
def display_filters(topdb):
ret = escape(topdb.name) + "<ul>"
if topdb.parent_relations:
ret += "<div class=subf>Filters:"
for i in topdb.parent_relations:
ret += "<li class=filter >" + escape(i._filter.name)
ret += "<a href=/filter/" + escape(i._filter.name) + ">link</a>"
ret += "<div style=\"margin-left: 10px; display: inline;\">" + " " + escape(i.child_db_name) + "</div>"
ret += "</li>"
ret += "</div>"
return ret + "</ul>"
def test_get(self):
data = UserInfo.objects.get()
self.client.login(username='******', password='******')
response = self.client.get(reverse('edit'))
self.assertContains(response, data.last_name)
self.assertContains(response, data.date_of_birth)
self.assertContains(response, data.email)
self.assertContains(response, data.skype)
self.assertContains(response, data.jabber)
self.assertContains(response, escape(data.bio))
self.assertContains(response, escape(data.other_contacts))
def process_bookmark(self, bookmark):
tags = self.get_tags(bookmark.description)
out = u"""<DT><A HREF="%(href)s" ADD_DATE="%(added)s" %(tags)s>%(title)s</A>\n"""
out = out % {
"href": bookmark.href,
"added": mktime(bookmark.added.timetuple()) if bookmark.added else "",
"tags": u'TAGS="%s"' % u",".join(tags) if tags else "",
"title": escape(bookmark.title),
}
if bookmark.description:
out += u"<DD>%s</DD>\n" % escape(bookmark.description)
return out
def link(value):
"""
From Kevin Veroneau: http://www.pythondiary.com/blog/Aug.23,2012/django-filter-be-more-dry.html
Usage:
{{ object|link }}
"""
if hasattr(value, 'get_absolute_url'):
return mark_safe('<a href="%s">%s</a>' % (escape(value.get_absolute_url()), escape(value)))
else:
return ''
def test_contact(self):
response = self.client.get('')
contact = Contacts.objects.get(pk=1)
self.assertEqual(response.status_code, 200)
self.assertContains(response, contact.name)
self.assertContains(response, contact.surname)
self.assertContains(response, linebreaks(escape(contact.bio)))
self.assertContains(response, date(contact.date_of_birth))
self.assertContains(response, contact.email)
self.assertContains(response, contact.skype)
self.assertContains(response, contact.jabber)
self.assertContains(response, linebreaks(escape(contact.contacts)))
def render_html(page):
if page.text_format == 'text/plain':
return mark_safe(linebreaks(escape(page.content)))
elif page.text_format == 'text/markdown':
return mark_safe(markdown(escape(page.content)))
elif page.text_format == 'text/html':
return mark_safe(page.content)
else:
raise Exception('invalid content type')
def test_contact(self):
response = self.client.get(reverse('contact.views.index'))
self.assertEqual(response.status_code, 200)
data = Contact.objects.get()
self.assertContains(response, data.name)
self.assertContains(response, data.last_name)
self.assertContains(response, date(data.birth_date))
self.assertContains(response, data.email)
self.assertContains(response, data.skype)
self.assertContains(response, data.jabber)
self.assertContains(response, linebreaks(escape(data.bio)))
self.assertContains(response, linebreaks(escape(data.other_contacts)))
def package_remove_library(r, id_number, type_id, revision_number):
" remove dependency from the library provided via POST "
revision = get_package_revision(id_number, type_id, revision_number)
if r.user.pk != revision.author.pk:
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
lib_id_number = r.POST.get('id_number')
library = get_object_or_404(Package, id_number=lib_id_number)
try:
revision.dependency_remove_by_id_number(lib_id_number)
except Exception, err:
return HttpResponseForbidden(escape(err.__unicode__()))
def upload_attachments(request, id_number, type_id,
revision_number=None, version_name=None):
""" Upload new attachments to the PackageRevision
"""
revision = get_package_revision(None, id_number, type_id, revision_number,
version_name)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to upload attachment to package (%s) "
"by non-owner (%s)" % (id_number, request.user))
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
content = request.raw_post_data
filename = request.META.get('HTTP_X_FILE_NAME')
if not filename:
log_msg = 'Path not found: %s, package: %s.' % (
filename, id_number)
log.error(log_msg)
return HttpResponseServerError('Path not found.')
try:
attachment = revision.attachment_create_by_filename(
request.user, filename, content)
except ValidationError, e:
return HttpResponseForbidden(
'Validation errors.\n%s' % parse_validation_messages(e))
def remove_attachment(request, revision_id):
"""
Remove attachment from PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ('[security] Attempt to remove attachment from revision '
'(%s) by non-owner (%s)' % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
uid = request.POST.get('uid', '').strip()
attachment = get_object_with_related_or_404(Attachment,
pk=uid, revisions=revision)
if not attachment:
log_msg = ('Attempt to remove a non existing attachment. attachment: '
'%s, revision: %s.' % (uid, revision_id))
log.warning(log_msg)
return HttpResponseForbidden(
'There is no such attachment in %s' % escape(
revision.package.full_name))
revision.attachment_remove(attachment)
return render_json(request,
"json/attachment_removed.json",
{'revision': revision, 'attachment': attachment})
def add_empty_attachment(request, id_number, type_id,
revision_number=None, version_name=None):
""" Add new empty attachment to the PackageRevision
"""
revision = get_package_revision(None, id_number, type_id, revision_number,
version_name)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to add attachment to package (%s) by "
"non-owner (%s)" % (id_number, request.user))
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
filename = request.POST.get('filename', False)
if not filename:
log_msg = 'Path not found: %s, package: %s.' % (
filename, id_number)
log.error(log_msg)
return HttpResponseServerError('Path not found.')
try:
attachment = revision.attachment_create_by_filename(request.user,
filename, '')
except ValidationError, e:
return HttpResponseForbidden(
'Validation errors.\n%s' % parse_validation_messages(e))
def style_element(text):
low_text = text.strip().lower()
if low_text in YES_KEYWORDS:
return YES_IMG
if low_text in NO_KEYWORDS:
return NO_IMG
if plus_two_re.search(low_text):
return YES_IMG * 2
if minus_two_re.search(low_text):
return NO_IMG * 2
if plus_three_re.search(low_text):
return YES_IMG * 3
if minus_three_re.search(low_text):
return NO_IMG * 3
text = escape(text)
found = False
for positive in YES_KEYWORDS:
if text.startswith(positive):
text = '%s %s' % (YES_IMG, text[len(positive):])
found = True
break
if not found:
for negative in NO_KEYWORDS:
if text.startswith(negative):
text = '%s %s' % (NO_IMG, text[len(negative):])
break
return text
def revision_add_attachment(request, pk):
"""Add attachment, download if necessary
"""
revision = get_object_or_404(PackageRevision, pk=pk)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to add attachment to package (%s) by "
"non-owner (%s)" % (revision.package, request.user))
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
url = request.POST.get('url', None)
filename = request.POST.get('filename', None)
if not filename or filename == "":
log.error('Trying to create an attachment without name')
return HttpResponseBadRequest('Path not found.')
content = ''
if url:
log.info(('[%s] Preparing to download %s as an attachment of '
'PackageRevision %d') % (filename, url, revision.pk))
# validate url
field = URLField(verify_exists=True)
encoding = request.POST.get('force_contenttype', False)
try:
url = field.clean(url)
except ValidationError, err:
log.warning('[%s] Invalid url provided\n%s' % (url,
'\n'.join(err.messages)))
return HttpResponseBadRequest(("Loading attachment failed\n"
"%s") % parse_validation_messages(err))
except Exception, err:
log.warning('[%s] Exception raised\n%s' % (url, str(err)))
return HttpResponseBadRequest(str(err))
def metablock(parsed):
"""
Remove HTML tags, entities and superfluous characters from
meta blocks.
"""
parsed = " ".join(parsed.replace("\n", "").split()).replace(" ,", ",")
return escape(strip_tags(decode_entities(parsed)))
def test_non_string_input(self):
# Filters shouldn't break if passed non-strings
self.assertEqual(addslashes(123), '123')
self.assertEqual(linenumbers(123), '1. 123')
self.assertEqual(lower(123), '123')
self.assertEqual(make_list(123), ['1', '2', '3'])
self.assertEqual(slugify(123), '123')
self.assertEqual(title(123), '123')
self.assertEqual(truncatewords(123, 2), '123')
self.assertEqual(upper(123), '123')
self.assertEqual(urlencode(123), '123')
self.assertEqual(urlize(123), '123')
self.assertEqual(urlizetrunc(123, 1), '123')
self.assertEqual(wordcount(123), 1)
self.assertEqual(wordwrap(123, 2), '123')
self.assertEqual(ljust('123', 4), '123 ')
self.assertEqual(rjust('123', 4), ' 123')
self.assertEqual(center('123', 5), ' 123 ')
self.assertEqual(center('123', 6), ' 123 ')
self.assertEqual(cut(123, '2'), '13')
self.assertEqual(escape(123), '123')
self.assertEqual(linebreaks_filter(123), '<p>123</p>')
self.assertEqual(linebreaksbr(123), '123')
self.assertEqual(removetags(123, 'a'), '123')
self.assertEqual(striptags(123), '123')
def remove_module(request, revision_id):
"""
Remove module from PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to remove a module from package (%s) "
"by non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
filenames = request.POST.get('filename').split(',')
revision.add_commit_message('module removed')
try:
removed_modules, removed_dirs = revision.modules_remove_by_path(
filenames)
except Module.DoesNotExist:
log_msg = 'Attempt to delete a non existing module(s) %s from %s.' % (
str(filenames), revision_id)
log.warning(log_msg)
return HttpResponseForbidden(
'There is no such module in %s' % escape(
revision.package.full_name))
return render_json(request,
"json/module_removed.json",
{'revision': revision,
'removed_modules': simplejson.dumps(removed_modules),
'removed_dirs': simplejson.dumps(removed_dirs)})
def upload_attachment(request, revision_id):
""" Upload new attachment to the PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
log.debug(revision)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to upload attachment to package (%s) "
"by non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
f = request.FILES.get('upload_attachment')
filename = request.META.get('HTTP_X_FILE_NAME')
if not f:
log_msg = 'Path not found: %s, revision: %s.' % (
filename, revision_id)
log.error(log_msg)
return HttpResponseServerError('Path not found.')
content = f.read()
# try to force UTF-8 code, on error continue with original data
try:
content = unicode(content, 'utf-8')
except:
pass
try:
attachment = revision.attachment_create_by_filename(
request.user, filename, content)
except ValidationError, e:
return HttpResponseForbidden(
'Validation errors.\n%s' % parse_validation_messages(e))
def revision_add_attachment(request, pk):
"""Add attachment, download if necessary
"""
revision = get_object_or_404(PackageRevision, pk=pk)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to add attachment to package (%s) by "
"non-owner (%s)" % (revision.package, request.user))
log.warning(log_msg)
return HttpResponseForbidden(
'You are not the author of this %s' % escape(
revision.package.get_type_name()))
url = request.POST.get('url', None)
filename = request.POST.get('filename', None)
log.debug(filename)
if not filename or filename == "":
log.error('Trying to create an attachment without name')
return HttpResponseForbidden('Path not found.')
content = ''
if url:
# validate url
field = URLField(verify_exists=True)
try:
url = field.clean(url)
except ValidationError, err:
log.debug('Invalid url provided (%s)\n%s' % (url,
'\n'.join(err.messages)))
return HttpResponseForbidden(("Loading attachment failed<br/>"
"%s") % '<br/>'.join(err.messages))
except Exception, err:
return HttpResponseForbidden(str(err))
def gen_data_tags(cls, data_dict: dict):
"""
Return the the string of all data (ie. ' data-key1="value1" data-key2="value2"')
:param data_dict:
:return:
"""
result = ''
if data_dict:
for k, v in data_dict.items():
result += ' data-%s="%s"' % (Str.snake_to_kebab(k),
defaultfilters.escape(v))
return mark_safe(result)
def clearlist(request, userid, slug):
userid = int(userid)
slug = escape(slug)
obj = func.getRepoObjorNone(userid, slug)
if not obj:
return
reponame = "%s%s" % (userid, slug)
if request.session.get(reponame, None):
request.session[reponame] = None
dajax = Dajax()
return dajax.json()
def update_library(request, revision_id):
" update a dependency to a certain version "
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to update library in revision (%s) by "
"non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this %s' %
escape(revision.package.get_type_name()))
# TODO: make updating work with library_id instead of id number
lib_id_number = request.POST.get('id_number')
lib_revision = request.POST.get('revision')
library = get_object_or_404(PackageRevision,
pk=lib_revision,
package__id_number=lib_id_number)
try:
revision.dependency_update(library)
except DependencyException, err:
return HttpResponseForbidden(escape(err.__str__()))
def pprint(value, break_after=10):
"""
A wrapper around pprint.pprint -- for debugging, really.
break_after is used to define how often a <span> is
inserted (for soft wrapping).
"""
from pprint import pformat
value = pformat(value).decode('utf-8', 'replace')
return mark_safe(u'<span></span>'.join(
[escape(value[i:(i + break_after)]) for i in xrange(0, len(value), break_after)]
))
def getBlob(request, userid, slug, sha):
userid = int(userid)
slug = escape(slug)
sha = escape(sha)
obj = func.getRepoObjorNone(userid, slug)
if not obj:
return
try:
blob = func.showBlob(obj.get('repoObj'),
sha).replace(" ",
" ").replace("\n", "<br />")
except:
blob = None
if not blob:
blob = ""
dajax = Dajax()
#pdb.set_trace()
dajax.add_data(blob, "writeBlob")
return dajax.json()
def get_dict(self):
return {
"comment_id": self.pk,
"poster": self.user.username if self.user else _("guest"),
"selector": self.selector,
"text": linebreaks(escape(self.text)),
"created_timestamp": self.created.isoformat(),
"created": arrow.get(self.created).humanize(locale=get_language()),
"has_edit": self.created != self.edited,
"edited_timestamp": self.edited.isoformat(),
"edited": arrow.get(self.edited).humanize(locale=get_language()),
"edits_total": self.edit_log.count()
}
def test_post(self):
data = dict()
data['first_name'] = 'Oleg'
data['last_name'] = 'Kudriavcev'
data['date_of_birth'] = '1991-10-28'
data['email'] = '*****@*****.**'
data['jabber'] = '*****@*****.**'
data['skype'] = 'vitalik_lee'
data['bio'] = "my name is vova"
data['other_contacts'] = "kiev, kovalskyj 5, 325r"
self.client.login(username='******', password='******')
response = self.client.post(reverse('edit'), data, follow=True)
self.assertEqual(response.status_code, 200)
self.assertEqual(UserInfo.objects.count(), 1)
self.assertContains(response, data['first_name'])
self.assertContains(response, data['last_name'])
self.assertContains(response, date(data['date_of_birth']))
self.assertContains(response, data['email'])
self.assertContains(response, data['jabber'])
self.assertContains(response, data['skype'])
self.assertContains(response, escape(data['bio']))
self.assertContains(response, escape(data['other_contacts']))
def myissue(request):
if request.method == 'GET':
pid = escape(request.GET.get('pid'))
request.session['pid'] = pid
sql = "SELECT iid,dname,title,idscpt,wname,ctime FROM issue NATURAL JOIN workflow NATURAL JOIN user WHERE pid = %s"
cursor = db.cursor()
cursor.execute(sql, [pid])
result = cursor.fetchall()
return render(request, 'login/myissue.html', {'issue_list': result})
if request.method == 'POST' and 'assign' in request.POST:
iid = escape(request.POST.get('issue_id', False))
uid = escape(request.POST.get('user_id', False))
pid = request.session['pid']
sql_add_lead = "INSERT INTO assignment(iid, uid, pid) VALUES (%s, %s, %s)"
cursor = db.cursor()
cursor.execute(sql_add_lead, [int(iid), int(uid), pid])
db.commit()
sql = "SELECT iid,dname,title,idscpt,wname,ctime FROM issue NATURAL JOIN workflow NATURAL JOIN user WHERE pid = %s"
cursor = db.cursor()
cursor.execute(sql, [pid])
result = cursor.fetchall()
return render(request, 'login/myissue.html', {'issue_list': result})
def copy(request, revision_id):
"""
Copy package - create a duplicate of the Package, set user as author
"""
source = get_object_with_related_or_404(PackageRevision, pk=revision_id)
log.debug('[copy: %s] Copying started from (%s)' % (revision_id, source))
# save package
try:
package = source.package.copy(request.user)
except IntegrityError, err:
log.critical(("[copy: %s] Package copy failed") % revision_id)
return HttpResponseForbidden('You already have a %s with that name' %
escape(source.package.get_type_name()))
def pygmentize(code_string, lexer_name=LEXER_DEFAULT):
# Plain code is noth hihglighted
if lexer_name == PLAIN_CODE:
return '\n'.join([
u'<span class="nn">{}</span>'.format(escape(l))
for l in code_string.splitlines()
])
try:
lexer = lexer_name and get_lexer_by_name(lexer_name) \
or PythonLexer()
except Exception:
lexer = PythonLexer()
return highlight(code_string, lexer, NakedHtmlFormatter())
def addtodifflist(request, userid, slug, sha):
userid = int(userid)
slug = escape(slug)
sha = escape(sha)
obj = func.getRepoObjorNone(userid, slug)
if not obj:
return
#sha exists ?
reponame = "%s%s" % (userid, slug)
reposession = request.session.get(reponame, None)
shalist = []
if not reposession:
shalist.append(sha)
request.session[reponame] = shalist
else:
shalist = reposession
if sha not in shalist:
shalist.append(sha)
request.session[reponame] = shalist
dajax = Dajax()
return dajax.json()
def render(self, name, value, attrs=None):
if value is None:
value = ''
value = smart_unicode(value)
final_attrs = self.build_attrs(attrs)
final_attrs['name'] = name
assert 'id' in final_attrs, "TinyMCE widget attributes must contain 'id'"
mce_config = cms.plugins.text.settings.TINYMCE_CONFIG.copy()
mce_config.update(get_language_config(self.content_language))
if tinymce.settings.USE_FILEBROWSER:
mce_config['file_browser_callback'] = "djangoFileBrowser"
mce_config.update(self.mce_attrs)
mce_config['mode'] = 'exact'
mce_config['elements'] = final_attrs['id']
mce_config['strict_loading_mode'] = 1
"""
plugins = mce_config.get("plugins", "")
if len(plugins):
plugins += ","
plugins += "-cmsplugins"
mce_config['plugins'] = plugins
adv2 = mce_config.get('theme_advanced_buttons1', "")
if len(adv2):
adv2 = "," + adv2
adv2 = "cmsplugins,cmspluginsedit" + adv2
mce_config['theme_advanced_buttons1'] = adv2
"""
json = simplejson.dumps(mce_config)
html = [
u'<textarea%s>%s</textarea>' %
(flatatt(final_attrs), escape(value))
]
if tinymce.settings.USE_COMPRESSOR:
compressor_config = {
'plugins': mce_config.get('plugins', ''),
'themes': mce_config.get('theme', 'advanced'),
'languages': mce_config.get('language', ''),
'diskcache': True,
'debug': False,
}
c_json = simplejson.dumps(compressor_config)
html.append(
u'<script type="text/javascript">tinyMCE_GZ.init(%s);</script>'
% (c_json))
html.append(
u'<script type="text/javascript">%s;\ntinyMCE.init(%s);</script>' %
(self.render_additions(name, value, attrs), json))
return mark_safe(u'\n'.join(html))
def run(self, env):
result = self.create_result(env)
log = ""
passed = 1
user = env.user()
for (fullfname, content) in env.sources():
# check anonymity
# search for user ID or name
regexp = re.compile((word(user.last_name)
+ "|" + word(user.first_name) ), re.I)
match_iter = regexp.finditer(content)
firstrun = 1
while 1:
try:
match = match_iter.next()
except StopIteration:
break
if firstrun:
log += "<H4>" + escape(fullfname) + "</H4>"
#_de("Die Datei enthält Ihren Namen oder Ihre Benutzerkennung:")
log += _("The file contains your name or user id:") + "<p>"
firstrun = 0
passed = 0
log += line(content, match) + "<br>"
if not passed:
# _de("""<p>Praktomat unterstützt
# <em>anonymes Bewerten</em> - der Bewerter kennt nur Ihr
# Programm, nicht aber Ihren Namen. Um anonymes Bewerten zu
# ermöglichen, darf Ihr Name nicht im Programmtext auftreten.<p>
# Bitte ändern Sie den Programmtext
# und versuchen Sie es noch einmal.""")
log += _("""<p>Praktomat supports <em>anonymous marking</em>,
i.e. the person who marks only sees your submission, but not your name or identity.
To allow anonymous marking, your name and user id is not allowed to appear in your submission.<p>
Please remove your name and user id and submit again.""")
result.set_log(log)
result.set_passed(passed)
return result
def news_comment_view(request):
form = CommentForm(request.POST)
if form.is_valid():
try:
content = escape(form.cleaned_data.get('comment_content')) # 对提取出来的数据进行转义,即使django模板默认转义。
news_id = form.cleaned_data.get('news_id')
news = News.objects.get(pk=news_id) # 这里必须将新闻查询到,不能直接将id保存到数据库中,会报错。当保存时数据中要保存实列,而不是一个id
comment = Comment.objects.create(comment_content=content, comment_news=news,
comment_author=request.user) # 评论的作者直接从request中获取
serializer = CommentSerializer(comment)
return restful.result(data=serializer.data)
except News.DoesNotExist:
return HttpResponse(status_code=404)
else:
return restful.params_error(message=form.get_errors())
def _field_extractor_function(field):
"""Return a function that extracts a given field from an instance of a model."""
if callable(field):
allow_tags = getattr(field, 'allow_tags', False)
if allow_tags:
esc = lambda s: s
else:
esc = lambda s: escape(s)
return (lambda o: esc(smart_str(unicode(field(o)))))
elif field.choices:
return (lambda o: getattr(o, 'get_%s_display' % field.name)())
elif isinstance(field, BooleanField):
return (lambda o: yesno(getattr(o, field.name), "Yes,No"))
else:
return (lambda o: smart_str(unicode(getattr(o, field.name))))
def delete(request, pk):
"""
Delete Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = ("[security] Attempt to delete package (%s) by "
"non-owner (%s)" % (pk, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this %s' %
escape(package.get_type_name()))
package.delete()
return render_json(request, "json/package_deleted.json")
def myproject(request):
if request.method == 'GET':
uid = request.GET.get('uid')
print(uid)
sql = "SELECT `lead`.pid,pname,pdscpt FROM `lead` JOIN project on `lead`.pid = project.pid WHERE `lead`.uid=%s"
cursor = db.cursor()
cursor.execute(sql, [int(uid)])
my_project_list = cursor.fetchall()
return render(request, 'login/myproject.html',
{'my_project_list': my_project_list})
if request.method == 'POST' and 'assign' in request.POST:
pid = escape(request.POST.get('project_id', False))
uid = escape(request.POST.get('user_id', False))
sql_add_lead = "INSERT INTO `lead`(pid, uid) VALUES (%s, %s)"
cursor = db.cursor()
cursor.execute(sql_add_lead, [int(pid), int(uid)])
db.commit()
uid = request.session["user_id"]
sql = "SELECT pid,pname,pdscpt FROM project WHERE uid=%s"
cursor = db.cursor()
cursor.execute(sql, [uid])
my_project_list = cursor.fetchall()
return render(request, 'login/myproject.html',
{'my_project_list': my_project_list})
def user_link(user, autoescape=None):
"""Returns <a ...>John Doe (crazykid96)</a>.
This function will find the corresponding user object of shift sign-ups,
call-duties, and other baljan-specific objects, so that the programmer can
write `signup|user_link` instead of `signup.user|user_link` in templates.
Also see `name_link`.
"""
user = _find_user(user)
if user:
full_name = escape(display_name(user))
return mark_safe('<a href="%s">%s (%s)</a>' %
(user.get_absolute_url(), full_name, user.username))
return mark_safe(_("unnamed"))
def progress_description(progress):
assert isinstance(progress, TrainingProgress)
text = '{discarded}{state} {type}<br />{evaluated_by}<br />on {day}.{notes}'.format(
discarded='discarded ' if progress.discarded else '',
state=progress.get_state_display(),
type=progress.requirement,
evaluated_by=('evaluated by {}'.format(progress.evaluated_by.full_name)
if progress.evaluated_by is not None else 'submitted'),
day=progress.created_at.strftime('%A %d %B %Y at %H:%M'),
notes='<br />Notes: {}'.format(escape(progress.notes))
if progress.notes else '',
)
text = text[0].upper() + text[1:]
return mark_safe(text)
def line(content, match): """Report occurrences of MATCH in CONTENT within their line""" start_of_line = match.start() while start_of_line > 0 and content[start_of_line - 1] != '\n': start_of_line = start_of_line - 1 end_of_line = match.end() while end_of_line < len(content) and content[end_of_line] != '\n': end_of_line = end_of_line + 1 line_number = 1 i = 0 while i < match.start(): if content[i] == '\n': line_number = line_number + 1 i = i + 1 return (`line_number` + ": <tt>" + escape(content[start_of_line:match.start()]) + "<strong>" + escape(content[match.start():match.end()]) + "</strong>" + escape(content[match.end():end_of_line]) + "</tt>")
def gen_attr_tags(cls, attr_dict: dict):
"""
Return the the string of all the attributes (ie. ' attr1="value1" attr2="value2"')
:param attr_dict:
:return:
"""
result = ''
if attr_dict:
for k, v in attr_dict.items():
if k.lower() in ['disabled', 'readonly', 'checked']:
result += ' %s' % k.lower()
else:
result += ' %s="%s"' % (Str.snake_to_kebab(k),
defaultfilters.escape(v))
return mark_safe(result)
def disable(request, pk):
"""
Disable Package and return confirmation
"""
package = get_object_or_404(Package, pk=pk)
if request.user.pk != package.author.pk:
log_msg = 'User %s wanted to disable not his own Package %s.' % (
request.user, pk)
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this %s' %
escape(package.get_type_name()))
package.disable()
return render_json(request, "json/package_disabled.json",
{'package': package})
def render_options(self, choices, selected_choices):
# Normalize to strings.
selected_choices = set([force_unicode(v) for v in selected_choices])
output = []
for option_value, option_label in chain(self.choices, choices):
if isinstance(option_label, (list, tuple)):
output.append(u'<li class="divider" label="%s"></li>' %
escape(force_unicode(option_value)))
for option in option_label:
output.append(self.render_option(selected_choices,
*option))
else:
output.append(
self.render_option(selected_choices, option_value,
option_label))
return u'\n'.join(output)
def fieldinfo(field):
if field.field.required:
required_class_attrs = {'class': 'required'}
else:
required_class_attrs = {}
if field.field.help_text:
help_text = u'<small>%s</small>' % field.field.help_text
else:
help_text = u''
label_code = field.label_tag(escape(field.label),
attrs=required_class_attrs)
if field.errors:
class_code = u' class="hasformerrors"'
else:
class_code = u' class="hasnoformerror"'
return required_class_attrs, help_text, label_code, class_code
def send_delayed_email(self, comm, **kwargs):
"""Send the message as an email"""
from_email, _ = EmailAddress.objects.get_or_create(
email=self.get_request_email(), )
body = self.render_msg_body(comm=comm,
reply_link=True,
switch=kwargs.get('switch'),
appeal=kwargs.get('appeal'))
email_comm = EmailCommunication.objects.create(
communication=comm,
sent_datetime=timezone.now(),
from_email=from_email,
)
email_comm.to_emails.add(self.email)
email_comm.cc_emails.set(self.cc_emails.all())
# if we are using celery email, we want to not use it here, and use the
# celery email backend directly. Otherwise just use the default email backend
backend = getattr(settings, 'CELERY_EMAIL_BACKEND',
settings.EMAIL_BACKEND)
with get_connection(backend) as email_connection:
msg = EmailMultiAlternatives(
subject=comm.subject,
body=body,
from_email=str(from_email),
to=[str(self.email)],
cc=[
str(e) for e in self.cc_emails.all() if e.status == 'good'
],
bcc=['*****@*****.**'],
headers={
'X-Mailgun-Variables': {
'email_id': email_comm.pk
},
},
connection=email_connection,
)
msg.attach_alternative(linebreaks(escape(body)), 'text/html')
# atach all files from the latest communication
comm.attach_files_to_email(msg)
msg.send(fail_silently=False)
email_comm.set_raw_email(msg.message())
def _send_email(self, comm, **kwargs):
"""Send the message as an email"""
from_addr = self.get_mail_id()
from_email, _ = EmailAddress.objects.get_or_create(
email='%s@%s' % (from_addr, settings.MAILGUN_SERVER_NAME), )
context = {
'request': self,
'show_all_comms': kwargs.get('show_all_comms'),
'reply_link': self.get_agency_reply_link(self.email.email),
}
body = render_to_string(
'text/foia/request_email.txt',
context,
)
self.status = self._sent_status(
kwargs.get('appeal'),
kwargs.get('thanks'),
)
email_comm = EmailCommunication.objects.create(
communication=comm,
sent_datetime=datetime.now(),
from_email=from_email,
)
email_comm.to_emails.add(self.email)
email_comm.cc_emails.set(self.cc_emails.all())
msg = EmailMultiAlternatives(subject=comm.subject,
body=body,
from_email=str(from_email),
to=[str(self.email)],
cc=[str(e) for e in self.cc_emails.all()],
bcc=['*****@*****.**'],
headers={
'X-Mailgun-Variables': {
'email_id': email_comm.pk
},
})
msg.attach_alternative(linebreaks(escape(body)), 'text/html')
# atach all files from the latest communication
comm.attach_files(msg)
msg.send(fail_silently=False)
email_comm.set_raw_email(msg.message())
def _send_email(self, comm, **kwargs):
"""Send the message as an email"""
from_email, _ = EmailAddress.objects.get_or_create(
email=self.get_request_email(),
)
body = self.render_msg_body(
comm=comm,
reply_link=True,
switch=kwargs.get('switch'),
appeal=kwargs.get('appeal')
)
self.status = self._sent_status(
kwargs.get('appeal'),
kwargs.get('thanks'),
)
email_comm = EmailCommunication.objects.create(
communication=comm,
sent_datetime=timezone.now(),
from_email=from_email,
)
email_comm.to_emails.add(self.email)
email_comm.cc_emails.set(self.cc_emails.all())
msg = EmailMultiAlternatives(
subject=comm.subject,
body=body,
from_email=str(from_email),
to=[str(self.email)],
cc=[str(e) for e in self.cc_emails.all() if e.status == 'good'],
bcc=['*****@*****.**'],
headers={
'X-Mailgun-Variables': {
'email_id': email_comm.pk
},
}
)
msg.attach_alternative(linebreaks(escape(body)), 'text/html')
# atach all files from the latest communication
comm.attach_files_to_email(msg)
msg.send(fail_silently=False)
email_comm.set_raw_email(msg.message())
def rename_module(request, revision_id):
"""
Rename a module in a PackageRevision
"""
revision = get_object_with_related_or_404(PackageRevision, pk=revision_id)
if request.user.pk != revision.author.pk:
log_msg = ("[security] Attempt to rename a module to package (%s) by "
"non-owner (%s)" % (revision_id, request.user))
log.warning(log_msg)
return HttpResponseForbidden('You are not the author of this Package')
old_name = request.POST.get('old_filename')
new_name = request.POST.get('new_filename')
if old_name == 'main':
return HttpResponseForbidden(
'Sorry, you cannot change the name of the main module.')
if not revision.validate_module_filename(new_name):
return HttpResponseForbidden(
('Sorry, there is already a module in your add-on '
'with the name "%s". Each module in your add-on '
'needs to have a unique name.') % new_name)
modules = revision.modules.all()
module = None
for mod in modules:
if mod.filename == old_name:
module = mod
if not module:
log_msg = 'Attempt to rename a non existing module %s from %s.' % (
old_name, revision_id)
log.warning(log_msg)
return HttpResponseForbidden('There is no such module in %s' %
escape(revision.package.full_name))
module.filename = new_name
revision.add_commit_message('module renamed')
revision.update(module)
return render_json(request, "json/module_renamed.json", {
'revision': revision,
'module': module
})
def render(self, name, value, attrs=None):
if value is None: value = ''
value = smart_unicode(value)
final_attrs = self.build_attrs(attrs)
final_attrs['name'] = name
assert 'id' in final_attrs, "TinyMCE widget attributes must contain 'id'"
mce_config = tinymce.settings.DEFAULT_CONFIG
mce_config.update(get_language_config(self.content_language))
if tinymce.settings.USE_FILEBROWSER:
mce_config['file_browser_callback'] = "djangoFileBrowser"
mce_config.update(self.mce_attrs)
mce_config['mode'] = 'exact'
mce_config['elements'] = final_attrs['id']
mce_config['strict_loading_mode'] = 1
mce_json = simplejson.dumps(mce_config)
html = [
u'<textarea%s>%s</textarea>' %
(flatatt(final_attrs), escape(value))
]
if tinymce.settings.USE_COMPRESSOR:
compressor_config = {
'plugins': mce_config.get('plugins', ''),
'themes': mce_config.get('theme', 'advanced'),
'languages': mce_config.get('language', ''),
'diskcache': True,
'debug': False,
}
compressor_json = simplejson.dumps(compressor_config)
# Now the trick - instead of ouputting <javascript> tags and initializing when they are rendered,
# let's simply put the json string in a hidden div and fetch the info / initialize when the view
# actually displays them :)
#html.append(u'<script type="text/javascript">tinyMCE_GZ.init(%s)</script>' % compressor_json)
html.append(
u'<div style="visibility:hidden" class="uninitialized-tiny-field" id="hidden_div_%s">%s</div>'
% (final_attrs['id'], compressor_json))
#html.append(u'<script type="text/javascript">tinyMCE.init(%s)</script>' % mce_json)
html.append(
r'<div style="visibility:hidden" class="uninitialized-tiny-field" id="hidden_div_%s">%s</div>'
% (final_attrs['id'], mce_json))
return mark_safe(u'\n'.join(html))
def style_element(text):
low_text = text.strip().lower()
if low_text in YES_KEYWORDS:
return YES_IMG
if low_text in NO_KEYWORDS:
return NO_IMG
if low_text in NOINFO_KEYWORDS:
return NOINFO_IMG
if plus_two_re.search(low_text):
return YES_IMG * 2
if minus_two_re.search(low_text):
return NO_IMG * 2
if plus_three_re.search(low_text):
return YES_IMG * 3
if minus_three_re.search(low_text):
return NO_IMG * 3
text = escape(text)
found = False
for positive in YES_KEYWORDS:
if text.startswith(positive):
text = '%s %s' % (YES_IMG, text[len(positive):])
found = True
break
if not found:
for noinfo in NOINFO_KEYWORDS:
if text.startswith(noinfo):
text = '%s %s' % (NOINFO_IMG, text[len(noinfo):])
found = True
break
if not found:
for negative in NO_KEYWORDS:
if text.startswith(negative):
text = '%s %s' % (NO_IMG, text[len(negative):])
break
return text
