def get_content(cls, abspath, start=None, end=None): relative_path = abspath.replace(os.getcwd(), '') + '/' if os.path.isdir(abspath): html = '<html><title>Directory listing for %s</title><body><h2>Directory listing for %s</h2><hr><ul>' % (relative_path, relative_path) for file in os.listdir(abspath): filename = file if os.path.isdir(file): filename += '/' html += '<li><a href="%s">%s</a>' % (xhtml_escape(filename), xhtml_escape(filename)) return html + '</ul><hr>' if os.path.splitext(abspath)[1] == '.md': try: import codecs import markdown input_file = codecs.open(abspath, mode='r', encoding='utf-8') text = input_file.read() return markdown.markdown(text) except: pass return super(DirectoryHandler, cls).get_content(abspath, start=start, end=end)
def post_argv(self, post= None): if post: # title if 'title_seo' in post['post']: title_seo = escape.xhtml_escape(post['post']['title_seo']) else: title_seo = '' if 'title' in post['post']: title = escape.xhtml_escape("%s (%s)" % (post['post']['title'], post['post']['year'])) else: title = "" # poster if 'poster' in post['post']: poster = escape.xhtml_escape(post['post']['poster']) else: poster = "" ### argv = { "id" : str(post['_id']), "title" : title, "subtitle" : escape.xhtml_escape(post['post']['subtitle']), "poster" : poster, "link" : "%s/%s/%s/%s.html" % (self.site.domain_root, self.module['setting']['server']['page_view'], post['_id'], title_seo), } else: argv = { "id" : '{{ id }}', "title" : '{{ title }}', "subtitle" : '{{ subtitle }}', "poster" : '{{ poster }}', "link" : '{{ link }}' } return argv
def post(self): """ POST the required parameters to register a TestBox env * `hostname` """ hostname = xhtml_escape(self.get_argument('hostname')) password = xhtml_escape(self.get_argument('password')) box_ip = self.request.remote_ip try: testbox = yield self.testbox_find( hostname=hostname, password=password ) testbox.hostname = hostname testbox.password = password testbox.box_ip = box_ip testbox.pubkey = self.application.pubkey_content testbox.updated_at = datetime.now() except ValueError: testbox = TestBox( hostname=hostname, password=password, box_ip=box_ip, pubkey=self.application.pubkey_content, created_at=datetime.now() ) res = yield testbox.save() print(res) self.set_status(201) self.success(res.to_son())
def tags_link(self): tags = self.tags if not tags: return '' links = ['<a href="%s" title="%s" class="tag">%s</a>' % ( tag.permalink, xhtml_escape(tag.title), xhtml_escape(tag.title)) for tag in tags] return ','.join(links)
def post(self): initial = "(.*%s.*)" % (self.get_argument('search_string')) for match in SEARCH.find({"search": { '$regex': initial}}): response = """ <li class="list-group-item"><a onClick="a_onClick(\'%s\')">%s</a></li> """ % (esc.xhtml_escape(match["search"]), esc.xhtml_escape(match["search"])) self.write(response)
def post(self): id = self.get_argument("id", None) title = xhtml_escape(self.get_argument("title")) tep = self.get_argument("info") code = xhtml_escape(self.get_argument("code")) pswd = self.get_argument("password") check = self.get_argument("check", None) if check != "1984": self.redirect("/newcode") return info = md.convert(tep) password = hexuserpass(pswd) slug = "zzzzzzzz" self.db.execute( "INSERT INTO entries (password,title,slug,code,info,markdown," "published) VALUES (%s,%s,%s,%s,%s,%s,%s)", password, title, slug, code, info, tep, datetime.datetime.now(), ) e = self.db.get("SELECT * FROM entries WHERE slug = %s", slug) eid = e.id slug = eid self.db.execute("UPDATE entries SET slug = %s WHERE id = %s", slug, int(eid)) self.redirect("/" + str(slug))
def post(self): """Post connection form and try to connect with these credentials """ incorrect = self.get_secure_cookie('incorrect') if not incorrect or int(incorrect) < 0: incorrect = 0 elif int(incorrect) >= max_attemps: logging.warning('an user is blocked') self.clear_cookie('user') self.render('blocked.html', blocked_duration=blocked_duration) return getusername = escape.xhtml_escape(self.get_argument('username')) getpassword = escape.xhtml_escape(self.get_argument('password')) if login == getusername and password == getpassword: logging.info('right credentials') self.set_secure_cookie('user', self.get_argument('username'), expires_days=1) self.clear_cookie('incorrect') self.redirect('/') else: logging.info('invalid credentials') incorrect = int(incorrect) + 1 self.set_secure_cookie('incorrect', str(incorrect), expires_days=blocked_duration) if incorrect >= max_attemps: logging.warning('an user is now blocked') self.clear_cookie('user') self.render('blocked.html', blocked_duration=blocked_duration) else: self.render('login.html', failed=True)
def test_get_ag_details(self): self.mock_login_admin() # test if AGP data are rendered correctly barcode = '000029153' response = self.get('/barcode_util/', {'barcode': barcode}) self.assertEqual(response.code, 200) self.assertIn('<h2>%s Details</h2>' % 'American Gut', response.body) ag_details = db.getAGBarcodeDetails(barcode) self.assertIn('<tr><td>Sample Date</td><td>%s</td></tr>' % ag_details['sample_date'], response.body) self.assertIn('<tr><td>Sample Time</td><td>%s</td></tr>' % ag_details['sample_time'], response.body) self.assertIn('<tr><td>Sample Site</td><td>%s</td></tr>' % ag_details['site_sampled'], response.body) self.assertIn('<label for="moldy"> moldy (current: %s) </label> <br />' % ag_details['moldy'], response.body) self.assertIn(('<label for="overloaded"> overloaded (current: %s) ' '</label> <br />') % ag_details['overloaded'], response.body) self.assertIn(('<label for="other"> other (current: %s) ' '</label> <br />') % ag_details['other'], response.body) self.assertIn(('<textarea name="other_text" onclick="this.select()' '">%s</textarea>') % xhtml_escape(ag_details['other_text']), response.body) self.assertIn(('<label for="send_mail" style="display:block;">send kit' ' owner %s (%s) an email </label>') % (xhtml_escape(ag_details['name']), xhtml_escape(ag_details['email'])), response.body)
def get(self, note_id): template_values = {} if len(note_id) < 8: raise tornado.web.HTTPError(404) note_id = decode(note_id) notes = self.db.query( "select title,note,rev_num,rev_user_name as name,rev_user_domain as domain" ", revdate from fd_NoteHistory where note_id = %s and rev_status = 0" " order by rev_num desc", note_id) if not notes: raise tornado.web.HTTPError(404) for i in range(len(notes)): next_note = {} if i == len(notes)-1: next_note['title'] = '' next_note['note'] = '' else: next_note['title'] = notes[i+1].title next_note['note'] = notes[i+1].note notes[i].title = textdiff(xhtml_escape(next_note['title']), xhtml_escape(notes[i].title)) note1 = self.br(linkify(next_note['note'], extra_params="target='_blank' rel='nofollow'")) note2 = self.br(linkify(notes[i].note, extra_params="target='_blank' rel='nofollow'")) notes[i].note = self.at(textdiff(note1, note2)) notes[i]['rev'] = 0 if i == 0: notes[i]['rev'] = 1 template_values['notes'] = notes self.render("notehistory.html", template_values=template_values)
def _on_auth(self, user): if not user: self.get_error('/', '10', u'Google auth failed', SITE_NAME) return author = User().select(['uid', 'username', 'flag']).find_by_email(user["email"]) if not author: if CHECK_REG == 1: usermail = xhtml_escape(user["email"].strip()) username = xhtml_escape(usermail.split('@')[0]) userid = User().user_new_google(username, usermail, '1') self.session['gnauid'] = userid self.session['gnaname'] = username self.session['gnaflag'] = '1' self.session.save() self.logaw('reg', u'注册(第一次登录)', '0', '0', '0', '0') #记录日志(type,des,aid,cid,nid,puid) self.redirect('/settings') else: self.get_error('/', '10', u'系统禁止注册', SITE_NAME) else: self.session['gnauid'] = author.uid self.session['gnaname'] = author.username self.session['gnaflag'] = author.flag self.session.save() self.logaw('login', u'登录', '0', '0', '0', '0') #记录日志(type,des,aid,cid,nid,puid) self.redirect(self.get_argument('next', '/'))
def test_get(self): ag_login_id = '0077c686-b0ad-11f8-e050-8a800c5d1877' self.mock_login_admin() email = db.get_login_info(ag_login_id)[0]['email'] response = self.get('/ag_edit_participant/', {'email': email}) self.assertEqual(response.code, 200) # check that all relevant user information is rendered on HTML side login = db.get_login_by_email(email) for key, value in login.items(): if not isinstance(key, unicode): key = key.decode('utf-8') if key == 'zip': key = u'zipcode' elif key == 'ag_login_id': continue if not isinstance(value, unicode): value = value.decode('utf-8') key = xhtml_escape(key.encode('utf-8')) value = xhtml_escape(value.encode('utf-8')) self.assertIn(('</td><td><input type="text" name="%s" id="%s" ' 'value="%s"></td></tr>') % (key, key, value), response.body) # check what happens if user with email does not exist. # TODO: we should create a better error message in the handler to be # displayed, see issue: #115 response = self.get('/ag_edit_participant/?email=notInDB') self.assertIn('AN ERROR HAS OCCURED!', response.body) self.assertEqual(response.code, 500) # TODO: similarly if no email, i.e. user, is given. Issue: #115 response = self.get('/ag_edit_participant/?email=') self.assertIn('AN ERROR HAS OCCURED!', response.body) self.assertEqual(response.code, 500)
def post(self): email = xhtml_escape(self.get_argument("email")) password = xhtml_escape(self.get_argument("password")) pool = ThreadPool(processes=1) pool.apply_async(self.__checkLogin, args=(email, password), callback=self.__onfinish) pool.close()
def block_code(self, code, language): # Don't forget about escaping code = ignore_trailing_newlines(xhtml_escape(code)) if language: language = xhtml_escape(language) klass = ' class="language-{0}"'.format(language) else: klass = "" return "<pre><code{0}>{1}</code></pre>\n".format(klass, code)
def get_netinfo(self): addr = xhtml_escape(common.shell('ip addr')) routing = xhtml_escape('\n'.join(common.shell('route -n').split("\n")[1:])) ifaces = OutputFormatter.highlight(xhtml_escape(common.shell('mii-tool 2> /dev/null'))) lan = appconfig.get()['net'] sangoma = common.shell("wanrouter status") return {'addr': addr, 'routing': routing, 'lan': lan, 'ifaces': ifaces, 'sangoma': sangoma}
def post(self): username = xhtml_escape(self.get_argument("username")) email = xhtml_escape(self.get_argument("email")) password = xhtml_escape(self.get_argument("password")) conf_pass = xhtml_escape(self.get_argument("confirmPassword")) #Thread incaricato di gesitire la scrittura sul db pool = ThreadPool(processes=1) pool.apply_async(self.__checkDuplicates, args=(username, email, password), callback=self.__onfinish) pool.close()
def get_scores(self): scores = {} for socket in self.sockets: name = socket.name if name in self.game.scores: scores[xhtml_escape(name)] = self.game.scores[name] else: scores[xhtml_escape(name)] = [] for (name, score) in self.game.scores.items(): if not xhtml_escape(name) in scores: scores[xhtml_escape(name) + " (ABSENT)"] = score return scores
def write_error(self, status_code, **kwargs): if hasattr(self, "error_message"): if isinstance(self.error_message, BaseException): import traceback self.write("<html><body><pre>%s</pre></body></html>" % xhtml_escape(''.join(traceback.format_exc()))) else: self.write("<html><body>Error: %s</body></html>" % xhtml_escape(self.error_message)) else: super(HandlerBase, self).write_error(status_code, **kwargs)
def show_flash(self): err = self.get_secure_cookie('e') info = self.get_secure_cookie('i') s = '' if err: s += '<div class="error">%s</div>' % (xhtml_escape(err),) self.clear_cookie('e') if info: s += '<div class="info">%s</div>' % (xhtml_escape(info),) self.clear_cookie('i') return s
def post(self): result = {} try: tmp_file = self.get_argument("tmp_file") result["status"] = os.path.isfile(tmp_file) if result["status"]: result["message"] = "上传成功" self.write(json.dumps(result)) self.finish() file_info = { "nickname" : xhtml_escape(self.get_argument("nickname")), "category" : self.get_argument("category"), "intro" : xhtml_escape(self.get_argument("intro")), "uploader" : self.get_secure_cookie("username"), "tmp_file" : tmp_file, } category = self.get_argument("category") sub_category = self.get_arguments("sub_category") file_info["cid"] = sub_category[-1] if category == "common": # 常用分类,需要记录pid file_info["pid"] = sub_category[0] if category == "book": # 图书类,需要作者 file_info["author"] = self.get_argument("author", "anonymous") elif category == "magazine": # 杂志类,需要出版社,刊号 file_info["publisher"] = xhtml_escape( self.get_argument("publisher", "unknown")) file_info["issue"] = xhtml_escape( self.get_argument("issue", "unknown")) file_path = { "static_path" : self.application.settings["static_path"], "temp_path" : self.application.settings["temp_path"] } pool = multiprocessing.Pool(processes=8) pool.apply_async(Upload, (file_info, file_path)) pool.close() pool.join() else: result["message"] = "附件已丢失...请联系网站管理员或重新上传" self.write(json.dumps(result)) self.finish() return except Exception as e: print e # result["status"] = False # result["message"] = e self.finish()
def post(self,id): if self.check_login(id): id = int(id) url = '/detail/' + str(id) title = xhtml_escape(self.get_argument('title', '')) poster = xhtml_escape(self.get_argument('poster', '')) password = xhtml_escape(self.get_argument('password', '')) type = xhtml_escape(self.get_argument('syntax', 'other')) content = xhtml_escape(self.get_argument('content', '')) time = fmt_time() Post.modify(id, title, poster, type, content, time, password) self.redirect(url) else: self.redirect('/detail/' + str(id))
def format_email(email): m = re.match(r"(.*) <(.*)>", email) if m: fmt = { "name" : xhtml_escape(m.group(1)), "mail" : xhtml_escape(m.group(2)), } else: fmt = { "name" : xhtml_escape(email), "mail" : xhtml_escape(email), } return """<a class="email" href="mailto:%(mail)s">%(name)s</a>""" % fmt
def post(self): if self.session['gnaflag'] <> '675': raise tornado.web.HTTPError(404) return node_nName = unicode(xhtml_escape(self.get_argument('nName', '').strip())) node_nUrl = clear2nbsp(xhtml_escape(self.get_argument('nUrl', '').strip().lower())) node_nDes = unicode(xhtml_escape(self.get_argument('nDes', '').strip())) node_nType = xhtml_escape(self.get_argument('nType', 'N')) node_subhead = int(self.get_argument('subhead', '0')) nid = int(self.get_argument('nid','0')) if nid: if node_nName and node_nUrl: if node_nType == 'N': if not node_subhead: self.get_error('javascript:history.go(-1);','10',u'分类不能为空','toaza.com') return Node().node_admin_update(node_nName,node_nUrl,node_nDes,node_nType,node_subhead,nid) self.logaw('admin',u'修改节点','0','0',nid,'0') #记录日志(type,des,aid,cid,nid,puid) self.get_error('javascript:history.go(-2);','10',u'修改成功','toaza.com') else: self.get_error('javascript:history.go(-1);','10',u'名字和url不能为空','toaza.com') return else: if node_nName and node_nUrl: if node_nType == 'N': if not node_subhead: self.get_error('javascript:history.go(-1);','10',u'分类不能为空','toaza.com') return check_node_url = Node().find_by_nType_and_nUrl_and_nName('N',node_nUrl,node_nName) if not check_node_url: nodeid = Node().node_admin_new(node_nName,node_nUrl,node_nDes,node_nType,node_subhead) self.logaw('admin',u'添加节点','0','0',nodeid,'0') #记录日志(type,des,aid,cid,nid,puid) if nodeid: if node_nType == 'N': self.get_error('/zzginoa/nodes?op=index&nType=N','10',u'节点添加成功','toaza.com') return else: self.get_error('/zzginoa/nodes?op=index&nType=C','10',u'分类添加成功','toaza.com') return else: self.get_error('javascript:history.go(-1);','10',u'添加出错','toaza.com') return else: self.get_error('javascript:history.go(-1);','10',u'节点名称、Url已经存在','toaza.com') return else: self.get_error('javascript:history.go(-1);','10',u'名字、url不能为空','toaza.com') return
def post(self, codeid): title = xhtml_escape(self.get_argument("title")) tep = self.get_argument("info") code = xhtml_escape(self.get_argument("code")) pswd = self.get_argument("password") info = md.convert(tep) codes = self.db.get("SELECT * FROM entries WHERE id = %s", int(codeid)) if checkuserpass(pswd, codes["password"]): self.db.execute(""" UPDATE entries SET title = %s, info = %s, code = %s, markdown = %s WHERE id = %s""", title, info, code, tep, int(codeid)) self.clear_cookie("codeid") self.redirect("/" + str(codeid)) else: self.redirect("/" + str(codeid))
def get(self): show_code = self.get_argument("code", default=None) reset_token = self.get_argument("t", default=None) if config.level2_showcode and show_code: with open(__file__) as code: content = code.read() self.write("<pre>" + xhtml_escape(content) + "</pre>") elif reset_token: mail, signature = get_token_components(reset_token) if not validate_token(reset_token): self.render("templates/error.html", message="Invalid data.") elif mail == config.admin_email: base_url = utils.get_cosmetic_url(self.request) self.render("templates/success.html", message=config.level2_message, next_challenge=base_url + config.level3_link ) else: self.render("templates/error.html", message="HoHo! You did trigger the password reset " "function, but for the wrong user.") else: self.render("templates/level.html", level="Level 2", show_code=config.level2_showcode)
def test_get(self): self.mock_login_admin() # check that error is raised for unknown barcode response = self.get('/ag_edit_barcode/', {'barcode': 'unknown'}) self.assertEqual(response.code, 500) # make sure return code 400 is returned, if barcode is not given response = self.get('/ag_edit_barcode/', {}) self.assertEqual(response.code, 400) # check if page is rendered properly barcode = '000004216' response = self.get('/ag_edit_barcode/', {'barcode': barcode}) self.assertEqual(response.code, 200) self.assertIn('name="barcode" id="barcode" value="%s"' % barcode, response.body) self.assertIn('<option value="Stool" selected>Stool</option>', response.body) self.assertIn('2013-10-15', response.body) hs = db.human_sites hs.remove('Stool') for s in hs: self.assertIn('<option value="%s">%s</option>' % (str(s), str(s)), response.body) for e in db.general_sites: self.assertIn('<option value="%s">%s</option>' % (str(e), str(e)), response.body) pname = xhtml_escape( db.getAGBarcodeDetails(barcode)['participant_name']) self.assertIn('<option value="%s" selected>%s</option>' % (pname, pname), response.body)
def on_rename(self, command, data): name = data.get('name') if not name: return self.user_name = xhtml_escape(name) command['data'] = self.user_as_dict self.broadcast(self.clients, command)
def _gen_test_tag_resp(cls, request): response = {} if 'tests_tag' in Settings and Settings['tests_tag']['tag'] in request['tags']: response['tag'] = Settings['tests_tag']['tag'] try: api_url = Settings['tests_tag']['tag_api_endpoint'].replace('%SHA%', request['revision']) api_body = Settings['tests_tag']['tag_api_body'].replace('%SHA%', request['revision']) api_resp = urllib2.urlopen(api_url, api_body) response['tag'] = xhtml_escape(json.loads(api_resp.read())['tag']) except Exception as e: response['tag'] += ": ERROR connecting to server" logging.error(e) response['url'] = '' if 'url_api_endpoint' in Settings['tests_tag']: try: result_api_url = Settings['tests_tag']['url_api_endpoint'].replace('%SHA%', request['revision']) result_api_url = result_api_url.replace('%BRANCH%', request['branch']) result_api_body = Settings['tests_tag']['url_api_body'].replace('%SHA%', request['revision']) result_api_body = result_api_body.replace('%BRANCH%', request['branch']) resp = urllib2.urlopen(result_api_url, result_api_body) result_id = url_escape(json.loads(resp.read())['id']) if result_id != '': response['url'] = Settings['tests_tag']['url_tmpl'].replace('%ID%', result_id).replace('%SHA%', request['revision']) response['url'] = response['url'].replace('%BRANCH%', request['branch']) except Exception as e: logging.warning(e) logging.warning("Couldn't load results for results test URL from %s with body %s" % ( Settings['tests_tag']['url_api_endpoint'].replace('%SHA%', request['revision']), Settings['tests_tag']['url_api_body'].replace('%SHA%', request['revision']) ) ) return response
def douban_saying(self, callback, access_token=None, content=None, **args): """ douban miniblog Example usage:: class MainHandler(RequestHandler, DoubanMixin): @authenticated @asynchronous def get(self): self.douban_saying( self.async_callback(self._on_saying), access_token=user["access_token"], content="test content" ) def _on_saying(self, xml): if not xml: raise HTTPError(500, 'Douban saying failed') self.write(xml) self.finish() """ path = "/miniblog/saying" if not access_token or not content: raise try: content = content.encode('utf-8') except UnicodeDecodeError: pass content = xhtml_escape(content) post_args = '<entry><content>%s</content></entry>' % content self.douban_request(path, callback, access_token, post_args, **args)
def write_line(self, data): try: logging.info("Returning to client: %s" % data.strip()) self.write_message(xhtml_escape(data.strip()) + "<br/>") self.proc.stdout.read_until("\n", self.write_line) except StreamClosedError: logging.info("StreamClosedError")
def send_mandrill_message(template_name, template_params, subject, sender_name, sender_email, recipient_name, recipient_email): '''Send a message via the Mandrill API.''' message = {'to': [{'email': recipient_email, 'type': 'to'}]} if template_name.strip() == 'share-to-recipient-web': logging.info('ignoring share to recipient message') return if recipient_name: message['to'][0]['name'] = recipient_name # Mandrill templates allow setting defaults for subject, sender_name, # and sender_email if subject: message['subject'] = subject if sender_name: message['from_name'] = sender_name if sender_email: message['from_email'] = sender_email merge_vars = [] for key, value in template_params.iteritems(): merge_vars.append({'name': key, 'content': escape.xhtml_escape(value)}); message['global_merge_vars'] = merge_vars mandrill_client = mandrill.Mandrill(options.options.mandrill_api_key) result = mandrill_client.messages.send_template(template_name=template_name, template_content=None, message=message, async=False) return result
def test_xhtml_escape(self): tests = [ ("<foo>", "<foo>"), (u"<foo>", u"<foo>"), (b("<foo>"), b("<foo>")), ("<>&\"", "<>&""), ("&", "&amp;"), ] for unescaped, escaped in tests: self.assertEqual(utf8(xhtml_escape(unescaped)), utf8(escaped)) self.assertEqual(utf8(unescaped), utf8(xhtml_unescape(escaped)))
def get(self, share_key): sharedfile = Sharedfile.get_by_share_key(share_key) value = { 'title': escape.xhtml_escape(sharedfile.get_title()), 'title_raw': sharedfile.get_title() } # prevents IE from caching ajax requests. self.set_header("Cache-Control", "no-store, no-cache, must-revalidate") self.set_header("Pragma", "no-cache") self.set_header("Expires", 0) return self.write(escape.json_encode(value))
def escape_json(value): """递归将对象内部的所有字符串对象escape""" if isinstance(value, dict): return dict( (escape_json(k), escape_json(v)) for k, v in value.iteritems()) elif isinstance(value, (list, tuple)): return type(value)(escape_json(v) for v in value) elif isinstance(value, (unicode, str)): return xhtml_escape(value) else: return value
def async_call(self, function): try: kwargs = self.request.arguments for arg, value in six.iteritems(kwargs): if len(value) == 1: kwargs[arg] = xhtml_escape(value[0]) elif isinstance(value, six.string_types): kwargs[arg] = xhtml_escape(value) elif isinstance(value, list): kwargs[arg] = [xhtml_escape(v) for v in value] else: raise Exception result = function(**kwargs) return result except OSError as e: return Template("Looks like we do not have enough disk space to render the page! {error}").render_unicode(data=e.message) except Exception: logger.log('Failed doing webui callback: {0}'.format((traceback.format_exc())), logger.ERROR) raise
def post(self): previous_queries = get_previous_queries(self) query = self.get_argument('query') query.rstrip(';') previous_queries = ([query] + previous_queries)[:5] try: rows = [list(row) for row in db.session.execute(query)] except OperationalError, e: self.render_json({'error': xhtml_escape(str(e))}) return
def render(self, path, sip=True, crossorigin="anonymous", **attrs): url = self.handler.cdn_static_url(path) if sip: integrity = self.get_integrity(url) if integrity and "integrity" not in attrs: attrs["integrity"] = integrity if "crossorigin" not in attrs: attrs["crossorigin"] = crossorigin if "src" not in attrs: attrs["src"] = url attr_strs = [ '%s="%s"' % (xhtml_escape(k), xhtml_escape(v)) for (k, v) in attrs.items() ] return "<script %s></script>" % " ".join(attr_strs)
def index(self): context = {} user_id = safe_json_load(USER_ID_JSON_FILE, dict) prefs = safe_json_load(PREFERENCES_JSON_FILE, dict) with open(DEFAULT_ICON_TEMPLATE, 'r') as fh: default_icon_template = squeeze(fh.read().replace("'", "\\'")) with open(DEFAULT_SETTINGS_TEMPLATE, 'r') as fh: default_settings_template = squeeze(fh.read().replace("'", "\\'")) pbname = xhtml_escape(SESSION.host.pedalboard_name) prname = SESSION.host.pedalpreset_name() fullpbname = pbname or "Untitled" if prname: fullpbname += " - " + prname context = { 'default_icon_template': default_icon_template, 'default_settings_template': default_settings_template, 'default_pedalboard': DEFAULT_PEDALBOARD, 'cloud_url': CLOUD_HTTP_ADDRESS, 'pedalboards_url': PEDALBOARDS_HTTP_ADDRESS, 'hardware_profile': b64encode(json.dumps(SESSION.get_hardware_actuators()).encode("utf-8")), 'version': self.get_argument('v'), 'lv2_plugin_dir': LV2_PLUGIN_DIR, 'bundlepath': SESSION.host.pedalboard_path, 'title': pbname, 'size': json.dumps(SESSION.host.pedalboard_size), 'fulltitle': fullpbname, 'titleblend': '' if SESSION.host.pedalboard_name else 'blend', 'using_app': 'true' if APP else 'false', 'using_mod': 'true' if DEVICE_KEY else 'false', 'user_name': xhtml_escape(user_id.get("name", "")), 'user_email': xhtml_escape(user_id.get("email", "")), 'favorites': json.dumps(gState.favorites), 'preferences': json.dumps(prefs), } return context
def test_get(self): self.mock_login_admin() response = self.get('/ag_new_kit/') self.assertEqual(response.code, 200) obs = response.body.decode('utf-8') for project in db.getProjectNames(): self.assertIn( "<option value='%s'>%s</option>" % ((xhtml_escape(project), ) * 2), obs) self.assertIn( "%i</span> unassigned barcodes" % len(db.get_unassigned_barcodes()), obs)
def url_unescape_path(username, platform, course_name, mapping_name, module_name, objective_name, skill_name, activity_name): path = {} path['username'] = escape.xhtml_escape(username) path['platform'] = platform path['course_name'] = course_name path['mapping_name'] = escape.url_unescape(mapping_name) path['module_name'] = escape.url_unescape(module_name) path['objective_name'] = escape.url_unescape(objective_name) path['skill_name'] = escape.url_unescape(skill_name) path['activity_name'] = escape.url_unescape(activity_name) return path
def post(self, *args, **kwargs): user = self.get_argument('user') content = self.get_argument('content') if user and content : loginuser = escape.xhtml_escape(self.current_user) result = database.inset_to_mysql(user,content,loginuser,create_id=int(self.get_secure_cookie(name="userid"))) if not len(result): self.render('complete.html') else: self.render('error.html') else: self.render('error.html')
def block_code(self, text, lang): if lang: lexer = get_lexer_by_name(lang, stripall=True) else: return '\n<pre><code>%s</code></pre>\n' % xhtml_escape( text.strip()) formatter = HtmlFormatter( noclasses=False, linenos=True, ) return highlight(text, lexer, formatter)
def get(self, shake_name): shake = Shake.get("name=%s and deleted=0", shake_name) if not shake: raise tornado.web.HTTPError(404) value = { 'title': escape.xhtml_escape(shake.title) if shake.title else '', 'title_raw': shake.title if shake.title else '', 'description': escape.xhtml_escape(shake.description) if shake.description else '', 'description_raw': shake.description if shake.description else '' } # prevents IE from caching ajax requests. self.set_header("Cache-Control", "no-store, no-cache, must-revalidate") self.set_header("Pragma", "no-cache") self.set_header("Expires", 0) return self.write(escape.json_encode(value))
def _FormatResult(self, user): email = escape.url_escape(user.email) if user.email else '-' user_url = '<a href="/admin/staging_users?user_id=%d&user_email=%s">{0}</a>' % ( user.user_id, email) return [ user_url.format(escape.utf8(escape.xhtml_escape(item))) for item in [ user.name or '-', email, str(user.user_id), str(list(user.labels.combine())) ] ]
async def core_proxy(self, port, path): if self.origin_host is None: # Get origin from this request self.store_origin_host() if not path.startswith('/'): path = '/' + path if self.mappath: if callable(self.mappath): raise Exception( "Not implemented: path = call_with_asked_args(self.mappath, {'path': path})" ) else: path = self.mappath.get(path, path) if self.gitwrapper: if not self.gitwrapper.finished: self.set_status(200) return self.write(self.gitpulling_template) elif self.gitwrapper.error: from tornado.escape import xhtml_escape html = self.error_template.format( cmd=xhtml_escape(" ".join(self.get_cmd())), stderr=xhtml_escape("\n".join(self.gitwrapper.logs)), stdout='') self.set_status(500) return self.write(html) if not await self.ensure_process(): from tornado.escape import xhtml_escape html = self.error_template.format( cmd=xhtml_escape(" ".join(self.get_cmd())), stderr=xhtml_escape(self.stderr_str or 'None'), stdout=xhtml_escape(self.stdout_str or 'None')) self.set_status(500) return self.write(html) return await super().proxy(self.port, path)
def post_argv(self, post= None): if post: ##### if 'picture' in post['post']['content']: content = template.Template('<img src="{{ picture }}">').generate(picture=post['post']['content']['picture']).decode("utf-8") elif 'video' in post['post']['content']: content = template.Template('<div class="video" link="{{ video }}"></div>').generate(video=post['post']['content']['video']).decode("utf-8") else: content = "" ##### if 'type' in post and post['type'] == 'private': warning = "Bài viết đang được chờ kiểm duyệt, bạn thông cảm nhé :)" else: warning = "" ##### if 'note' in post['post']['content']: # old version argv = { "id" : str(post['_id']), "content" : content, "note" : escape.xhtml_escape(post['post']['content']['note']), "link" : "%s://%s/%s/%s/%s/%s.html" % (self.site.request.protocol, self.site.request.host, self.site.db_site['name'], self.site.db_page['name'], post['_id'], function.seo_encode(post['post']['title'])), "title" : escape.xhtml_escape(post['post']['title']), "source" : escape.xhtml_escape(post['post']['content']['source']), "time" : post['time'], "user.name" : post['user']['first_name'] + ' ' + post['user']['last_name'], "user.picture" : post['user']['picture'], "warning" : warning, "banner" : '' } else: # newversion argv = { "id" : str(post['_id']), "content" : content, "note" : escape.xhtml_escape(post['post']['note']), "link" : "%s://%s/%s/%s/%s/%s.html" % (self.site.request.protocol, self.site.request.host, self.site.db_site['name'], self.site.db_page['name'], post['_id'], function.seo_encode(post['post']['title'])), "title" : escape.xhtml_escape(post['post']['title']), "source" : escape.xhtml_escape(post['post']['source']), "time" : post['time'], "user.name" : post['user']['first_name'] + ' ' + post['user']['last_name'], "user.picture" : post['user']['picture'], "warning" : warning, "banner" : "banner" if 'banner' in post['post'] and post['post']['banner'] else '', } else: argv = { "id" : '{{ id }}', "content" : '{{ content }}', "note" : '{{ note }}', "link" : '{{ link }}', "title" : '{{ title }}', "source" : '{{ source }}', "time" : '{{ time }}', "user.name" : '{{ user.name }}', "user.picture" : '{{ user.picture }}', "warning" : '{{ warning }}', "banner" : '{{ banner }}', } return argv
def render(self, path, sip=True, crossorigin="anonymous", **attrs): url = self.handler.cdn_static_url(path) if sip: integrity = self.get_integrity(url) if integrity and "integrity" not in attrs: attrs["integrity"] = integrity if "crossorigin" not in attrs: attrs["crossorigin"] = crossorigin if "rel" not in attrs: attrs["rel"] = "stylesheet" if "href" not in attrs: attrs["href"] = url attr_strs = [ '%s="%s"' % (xhtml_escape(k), xhtml_escape(v)) for (k, v) in attrs.items() ] return "<link %s />" % " ".join(attr_strs)
def test_get(self): self.mock_login() response = self.get('/projects/summary/') self.assertEqual(response.code, 200) obs = response.body.decode('utf-8') # check that correct information is printed on HTML page. for project_name in db.getProjectNames(): num_barcodes = len(db.get_barcodes_for_projects([project_name])) self.assertIn('<tr><td>%s</td>' % xhtml_escape(project_name), obs) self.assertIn('<td>%s</td></tr>' % num_barcodes, obs)
def post(self): users = Users() sorting = escape.xhtml_escape(self.get_argument('jtSorting', '')) sortby = None sortway = None if sorting: sortby, sortway = sorting.split() records = users.get_students(sortby, sortway) if records: self.write(jtable_reply(True, records)) else: self.write(jtable_reply(False))
def test_xhtml_escape(self): tests = [ ("<foo>", "<foo>"), (u"<foo>", u"<foo>"), (b"<foo>", b"<foo>"), ("<>&\"'", "<>&"'"), ("&", "&amp;"), (u"<\u00e9>", u"<\u00e9>"), (b"<\xc3\xa9>", b"<\xc3\xa9>"), ] for unescaped, escaped in tests: self.assertEqual(utf8(xhtml_escape(unescaped)), utf8(escaped)) self.assertEqual(utf8(unescaped), utf8(xhtml_unescape(escaped)))
def get_thumbs(raw, secure=False): # Don't forget about escaping text = xhtml_escape(raw) thumbs = [] for match in _URL_RE.finditer(text): url = match.group(1) for regexp, handler, _ in linkshit_format.linkhostings: m = regexp.match(url) if m: thumb = handler(m.group, 's' if secure else '') thumbs.append((url, thumb)) break return thumbs
def get(self): current_user = self.get_current_user_object() group_shakes = current_user.shakes(include_managed=True) response = {'result': []} for shake in group_shakes: response['result'].append({ 'id': shake.id, 'name': xhtml_escape(shake.display_name(current_user)) }) return self.write(response)
def async_call(self, function): try: # TODO: Make all routes use get_argument so we can take advantage of tornado's argument sanitization, separate post and get, and get rid of this # nonsense loop so we can just yield the method directly # raise Exception('Raising from async_call') kwargs = self.request.arguments for arg, value in kwargs.items(): if len(value) == 1: kwargs[arg] = xhtml_escape(value[0]) elif isinstance(value, str): kwargs[arg] = xhtml_escape(value) elif isinstance(value, list): kwargs[arg] = [xhtml_escape(v) for v in value] else: raise Exception return function(**kwargs) except TypeError: return function() except Exception as error: return WebRoot(application=self.application, request=self.request).print_traceback( error=error, **self.request.arguments)
def make_content(text, extra_params='rel="nofollow"'): """https://github.com/facebook/tornado/blob/master/tornado/escape.py#L238 """ if extra_params: extra_params = " " + extra_params.strip() def make_link(m): url = m.group(1) proto = m.group(2) href = m.group(1) if not proto: href = "http://" + href # no proto specified, use http params = extra_params if '.' in href: name_extension = href.split('.')[-1].lower() if name_extension in ('jpg', 'png', 'git', 'jpeg'): return u'<img src="%s" />' % href return u'<a href="%s"%s>%s</a>' % (href, params, url) def cover_email(m): data = {'mail': m.group(1), 'end': m.group(2)} return u'<a href="mailto:%(mail)s">%(mail)s</a>%(end)s' % data def convert_mention(m): data = {} data['begin'], data['user'] = m.group(1).split('@') t = u'%(begin)s<a href="/member/%(user)s" class="mention">' \ u'@%(user)s</a>' return t % data def highligt(m): try: name = m.group(1) lexer = get_lexer_by_name(name) except ValueError: lexer = TextLexer() text = m.group(2).replace('"', '"').replace('&', '&') text = text.replace('<', '<').replace('>', '>') text = text.replace(' ', ' ') return highlight(text, lexer, formatter) text = _unicode(xhtml_escape(text)).replace(' ', ' ') text = _CODE_RE.sub(highligt, text).replace('\n', '<br />') text = _EMAIL_RE.sub(cover_email, text) text = _MENTION_RE.sub(convert_mention, text) return _URL_RE.sub(make_link, text)
def string_escape(value): r"""Escapes the <,>, ", 'and & characters of a string, when adding an interactable object such as a list, a dictionary, tuples and a set it cycles through the values in search of strings recursively, remembering that objects of the type tuple and set will be converted to lists. :param value: string, dict, list, tuple or set. Example: >>> from phanterpwa.tools import string_escape >>> string_escape("<div>the content<\div>") '<div>the content<\div>' >>> result = string_escape({ "one": "<div style='test'>one</div>", "two": ["<div>two</div>"], "three": ("<div>three</div>", ), "four": {"<div>four</div>"}, "five": { "five_one": ["<br>", ("<input>", "<hr>"), {"<a href='link'></a>"}] } }) >>> result["one"] '<div style='test'>one</div>' >>> result["two"] '["<div>two</div>"]' >>> result["three"] '["<div>three</div>"]' >>> result["four"] '['<div>four</div>']' >>> result["five"]["five_one"] '["<br>", ["<input>", "<hr>"], ["<a href='link'></a>"]]' """ if isinstance(value, str): return escape.xhtml_escape(value) elif isinstance(value, (list, tuple, set)): new_list = [] for x in value: new_list.append(string_escape(x)) return new_list elif isinstance(value, dict): new_dict = {} for x in value.keys(): new_dict[x] = string_escape(value[x]) return new_dict elif isinstance(value, datetime): return value.isoformat(" ", "seconds") elif isinstance(value, date): return value.isoformat() else: return value
def post(self): result = {"status": False} try: username = xhtml_escape(self.get_argument("username")) password = xhtml_escape(self.get_argument("password")) realname = xhtml_escape(self.get_argument("realname")) lastrowid = User().add(username, password, realname) if lastrowid > 0: result["status"] = True result["message"] = "添加成功" elif lastrowid == 0: result["message"] = "添加失败" elif lastrowid == -1: result["message"] = "用户名存在" else: # unexcept result["message"] = "情况未知" pass except Exception as e: print e result["message"] = "添加用户异常" self.write(json.dumps(result)) self.finish()
def rendernote(self, note): if isinstance(note, Exception): note = note.__str__() if note: html = """ <div id="flashbar" style="display:none"> <script type="text/javascript"> document.getElementById('flashbar').style.display = 'none'; </script> <span>%s</span> </div>""" return html % xhtml_escape(__(note)) return ""
def format_text(self, raw_text): """ @ raw_text: 未经任何处理的文本 @ return: 经过xhtml_escape,和支持空白换行等多种操作后的html代码 """ rules = {" ": " ", "\n": "<br />"} x_text = xhtml_escape(raw_text) out_text = "" for c in x_text: if c in rules: out_text += rules[c] else: out_text += c return out_text
def test_get_overview_animal(self): # Test with animal login id ag_login_id = 'd8592c74-8710-2135-e040-8a80115d6401' self.mock_login(ag_data.ut_get_supplied_kit_id(ag_login_id)) response = self.get('/authed/add_sample_overview/') self.assertEqual(response.code, 200) self.assertTrue( response.effective_url.endswith('/authed/add_sample_overview/')) # Check for some main text names = ag_data.ut_get_participant_names_from_ag_login_id(ag_login_id) self.assertIn('sample source', response.body) for name in names: self.assertIn(escape.xhtml_escape(name), response.body) self.assertIn('Environmental', response.body)
def test_get_ag_details(self): self.mock_login_admin() # test if AGP data are rendered correctly barcode = '000029153' response = self.get('/barcode_util/', {'barcode': barcode}) self.assertEqual(response.code, 200) self.assertIn('<h2>%s Details</h2>' % 'American Gut', response.body) ag_details = db.getAGBarcodeDetails(barcode) self.assertIn( '<tr><td>Sample Date</td><td>%s</td></tr>' % ag_details['sample_date'], response.body) self.assertIn( '<tr><td>Sample Time</td><td>%s</td></tr>' % ag_details['sample_time'], response.body) self.assertIn( '<tr><td>Sample Site</td><td>%s</td></tr>' % ag_details['site_sampled'], response.body) self.assertIn( '<label for="moldy"> moldy (current: %s) </label> <br />' % ag_details['moldy'], response.body) self.assertIn(('<label for="overloaded"> overloaded (current: %s) ' '</label> <br />') % ag_details['overloaded'], response.body) self.assertIn(('<label for="other"> other (current: %s) ' '</label> <br />') % ag_details['other'], response.body) self.assertIn( ('<textarea name="other_text" onclick="this.select()' '">%s</textarea>') % xhtml_escape(ag_details['other_text']), response.body) self.assertIn( ('<label for="send_mail" style="display:block;">send kit' ' owner %s (%s) an email </label>') % (xhtml_escape( ag_details['name']), xhtml_escape(ag_details['email'])), response.body)
def safe_markdown(text, noclasses=False): text = escape.xhtml_escape(text) # get link back def make_link(m): link = m.group(1) title = link.replace('http://', '').replace('https://', '') if len(title) > 30: title = title[:20] + '...' if link.startswith('http://') or link.startswith('https://'): return '<a href="%s" rel="nofollow">%s</a>' % (link, title) return '<a href="http://%s" rel="nofollow">%s</a>' % (link, title) # http://daringfireball.net/2010/07/improved_regex_for_matching_urls pattern = re.compile( r'(?m)^((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}' r'/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+' r'|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))') text = pattern.sub(make_link, text) pattern = re.compile( r'(?i)(?:<)((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}' r'/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+' r'|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))(?:>)') text = pattern.sub(make_link, text) pattern = re.compile(r'^```(\w+)(?:\n|\r\n|\r)(.*?)(?:\n|\r\n|\r)```', re.S | re.M) formatter = HtmlFormatter(noclasses=noclasses) def repl(m): try: name = m.group(1) lexer = get_lexer_by_name(name) except ValueError: name = 'text' lexer = TextLexer() text = m.group(2).replace('"', '"').replace('&', '&') text = text.replace('<', '<').replace('>', '>') #text = m.group(2) code = highlight(text, lexer, formatter) code = code.replace('\n\n', '\n \n').replace('\n', '<br />') return '\n\n<div class="code">%s</div>\n\n' % code text = pattern.sub(repl, text) pattern = re.compile(r'@(\w+)\s') text = pattern.sub(r'<a href="/member/\1">@\1</a> ', text) return emoji(markdown.markdown(text))