Пример #1
0
def _upload_file(request):
    """
    Upload file to the server.
    """
    if request.method == "POST":
        folder = request.POST.get("folder")
        fb_uploadurl_re = re.compile(r"^.*(%s)" % reverse("fb_upload"))
        folder = fb_uploadurl_re.sub("", folder)
        if "." in folder:
            return HttpResponseBadRequest("")

        if request.FILES:
            filedata = request.FILES["Filedata"]
            directory = get_directory()

            # Validate file against EXTENSIONS setting.
            if not get_file_type(filedata.name):
                return HttpResponseBadRequest("")

            # PRE UPLOAD SIGNAL
            filebrowser_pre_upload.send(
                sender=request, path=request.POST.get("folder"), file=filedata
            )

            # Try and remove both original and normalised thumb names,
            # in case files were added programmatically outside FB.
            file_path = os.path.join(directory, folder, filedata.name)
            remove_thumbnails(file_path)
            filedata.name = convert_filename(filedata.name)
            file_path = os.path.join(directory, folder, filedata.name)
            remove_thumbnails(file_path)

            if (
                "." in file_path
                and file_path.split(".")[-1].lower() in fb_settings.ESCAPED_EXTENSIONS
            ):
                filedata = ContentFile(escape(filedata.read()), name=filedata.name)

            # HANDLE UPLOAD
            uploadedfile = default_storage.save(file_path, filedata)
            if default_storage.exists(file_path) and file_path != uploadedfile:
                default_storage.move(
                    smart_text(uploadedfile),
                    smart_text(file_path),
                    allow_overwrite=True,
                )

            # POST UPLOAD SIGNAL
            filebrowser_post_upload.send(
                sender=request,
                path=request.POST.get("folder"),
                file=FileObject(smart_text(file_path)),
            )
        get_params = request.POST.get("get_params")
        if get_params:
            return HttpResponseRedirect(reverse("fb_browse") + get_params)
    return HttpResponse("True")
Пример #2
0
def _upload_file(request):
    """
    Upload file to the server.
    """
    if request.method == 'POST':
        folder = request.POST.get('folder')
        fb_uploadurl_re = re.compile(r'^.*(%s)' % reverse("fb_upload"))
        folder = fb_uploadurl_re.sub('', folder)
        if ".." in folder:
            return HttpResponseBadRequest("")

        if request.FILES:
            filedata = request.FILES['Filedata']
            directory = get_directory()

            # Validate file against EXTENSIONS setting.
            if not get_file_type(filedata.name):
                return HttpResponseBadRequest("")

            # PRE UPLOAD SIGNAL
            filebrowser_pre_upload.send(sender=request,
                                        path=request.POST.get('folder'),
                                        file=filedata)

            # Try and remove both original and normalised thumb names,
            # in case files were added programmatically outside FB.
            file_path = os.path.join(directory, folder, filedata.name)
            remove_thumbnails(file_path)
            filedata.name = convert_filename(filedata.name)
            # this won't work with windows and s3 - replace the "\"
            file_path = os.path.join(directory, folder,
                                     filedata.name).replace("\\", "/")
            remove_thumbnails(file_path)

            if "." in file_path and file_path.split(
                    ".")[-1].lower() in ESCAPED_EXTENSIONS:
                filedata = ContentFile(escape(filedata.read()),
                                       name=filedata.name)

            # HANDLE UPLOAD
            uploadedfile = default_storage.save(file_path, filedata)
            if default_storage.exists(file_path) and file_path != uploadedfile:
                default_storage.move(smart_text(uploadedfile),
                                     smart_text(file_path),
                                     allow_overwrite=True)

            # POST UPLOAD SIGNAL
            filebrowser_post_upload.send(sender=request,
                                         path=request.POST.get('folder'),
                                         file=FileObject(
                                             smart_text(file_path)))
        get_params = request.POST.get('get_params')
        if get_params:
            return HttpResponseRedirect(reverse('fb_browse') + get_params)
    return HttpResponse('True')
Пример #3
0
def _clean(html):
    if settings.PAGEDOWN_USE_MEZZANINE_HTML_ESCAPE:
        return escape(html)

    tags = settings.RICHTEXT_ALLOWED_TAGS
    attrs = settings.RICHTEXT_ALLOWED_ATTRIBUTES
    styles = settings.RICHTEXT_ALLOWED_STYLES
    if LooseVersion('2.0') <= LooseVersion(bleach.__version__) and isinstance(attrs, tuple):
        attrs = list(attrs)

    return clean(html, tags=tags, attributes=attrs, strip=True,
                 strip_comments=False, styles=styles)
Пример #4
0
def _clean(html):
    if settings.PAGEDOWN_USE_MEZZANINE_HTML_ESCAPE:
        return escape(html)

    tags = settings.RICHTEXT_ALLOWED_TAGS
    attrs = settings.RICHTEXT_ALLOWED_ATTRIBUTES
    styles = settings.RICHTEXT_ALLOWED_STYLES
    if LooseVersion('2.0') <= LooseVersion(bleach.__version__) and isinstance(
            attrs, tuple):
        attrs = list(attrs)

    return clean(html,
                 tags=tags,
                 attributes=attrs,
                 strip=True,
                 strip_comments=False,
                 styles=styles)
Пример #5
0
def _upload_file(request):
    """
    Upload file to the server.
    """
    if request.method == "POST":
        folder = request.POST.get("folder")
        fb_uploadurl_re = re.compile(r"^.*(%s)" % reverse("fb_upload"))
        folder = fb_uploadurl_re.sub("", folder)
        if "." in folder:
            return HttpResponseBadRequest("")

        if request.FILES:
            filedata = request.FILES["Filedata"]
            directory = get_directory()

            # Validate file against EXTENSIONS setting.
            if not get_file_type(filedata.name):
                return HttpResponseBadRequest("")

            # PRE UPLOAD SIGNAL
            filebrowser_pre_upload.send(sender=request, path=request.POST.get("folder"), file=filedata)

            # Try and remove both original and normalised thumb names,
            # in case files were added programmatically outside FB.
            file_path = os.path.join(directory, folder, filedata.name)
            remove_thumbnails(file_path)
            filedata.name = convert_filename(filedata.name)
            file_path = os.path.join(directory, folder, filedata.name)
            remove_thumbnails(file_path)

            if "." in file_path and file_path.split(".")[-1].lower() in ESCAPED_EXTENSIONS:
                filedata = ContentFile(escape(filedata.read()), name=filedata.name)

            # HANDLE UPLOAD
            uploadedfile = default_storage.save(file_path, filedata)
            if default_storage.exists(file_path) and file_path != uploadedfile:
                default_storage.move(smart_text(uploadedfile), smart_text(file_path), allow_overwrite=True)

            # POST UPLOAD SIGNAL
            filebrowser_post_upload.send(
                sender=request, path=request.POST.get("folder"), file=FileObject(smart_text(file_path))
            )
        get_params = request.POST.get("get_params")
        if get_params:
            return HttpResponseRedirect(reverse("fb_browse") + get_params)
    return HttpResponse("True")
Пример #6
0
 def test_escape(self):
     """
     Test HTML is escaped to whitelist.
     """
     self.assertEqual(escape("<foo><div></div></foo>"), "<div></div>")
Пример #7
0
 def clean(self, value, model_instance):
     """
     Remove potentially dangerous HTML tags and attributes.
     """
     return escape(value)
Пример #8
0
 def clean(self, value, model_instance):
     """
     Remove potentially dangerous HTML tags and attributes.
     """
     return escape(value)