def render_basic(self, field, **kwargs):
html = [field.label(), '<br/>', self.widget(field, **kwargs)]
help_block = Markup(u'<span class="help-block">{0}</span>')
if field.description:
html.append(help_block.format(field.description))
html.extend(help_block.format(e) for e in field.errors)
return HTMLString(u''.join(html))
def render_basic(self, field, **kwargs):
html = [field.label(),
'<br/>',
self.widget(field, **kwargs)]
help_block = Markup(u'<span class="help-block">{0}</span>')
if field.description:
html.append(help_block.format(field.description))
html.extend(help_block.format(e) for e in field.errors)
return HTMLString(u''.join(html))
def render_horizontal(self, field, **kwargs):
html = [
u'<div class="col-sm-5">',
field.label(class_=u'control-label'), u'</div>',
u'<div class="col-sm-7">',
self.widget(field, **kwargs), u'</div>'
]
help_block = Markup(u'<div class="col-sm-12">'
u'<span class="help-block">{0}</span>'
u'</div>')
if field.description:
html.append(help_block.format(field.description))
html.extend(help_block.format(e) for e in field.errors)
return HTMLString(u''.join(html))
def render_horizontal(self, field, **kwargs):
html = [u'<div class="col-sm-5">',
field.label(class_=u'control-label'),
u'</div>',
u'<div class="col-sm-7">',
self.widget(field, **kwargs),
u'</div>']
help_block = Markup(u'<div class="col-sm-12">'
u'<span class="help-block">{0}</span>'
u'</div>')
if field.description:
html.append(help_block.format(field.description))
html.extend(help_block.format(e) for e in field.errors)
return HTMLString(u''.join(html))
def render(self):
"""Render this notification's message using its context.
The message can contain HTML markup. Values from the context are
escaped.
"""
markup = Markup(self.message)
markup = markup.format(**self.context)
return str(markup)
def _render_posts(self, header_level, number=5, date_format='compact'):
redis = yield from self.request.redis
result = []
start_div = Markup(
'<div data-ws-channel="{}?header-level={}&date-format={}">')
result.append(start_div.format(self.path, header_level, date_format))
posts = yield from redis.zrange(self.redis_key, -number, -1)
for post_entry in reversed(list(posts)):
post, score = yield from post_entry
rendered = yield from self._render_post(json.loads(post),
date_format=date_format,
header_level=header_level)
result.append(rendered)
result.append(Markup('</div>'))
return Markup(''.join(result))
def _render_posts(self, header_level, number=5, date_format='compact'):
redis = yield from self.request.redis
result = []
start_div = Markup(
'<div data-ws-channel="{}?header-level={}&date-format={}">')
result.append(start_div.format(
self.path, header_level, date_format))
posts = yield from redis.zrange(self.redis_key, -number, -1)
for post_entry in reversed(list(posts)):
post, score = yield from post_entry
rendered = yield from self._render_post(
json.loads(post),
date_format=date_format,
header_level=header_level
)
result.append(rendered)
result.append(Markup('</div>'))
return Markup(''.join(result))
def generate_pages(current_page, num_of_pages, search=None, status=None, tags=None, window=7):
"""
Generates the HTML for a paging component using a similar logic to the paging
auto-generated by Flask managed views. The paging component defines a number of
pages visible in the pager (window) and once the user goes to a page beyond the
largest visible, it would scroll to the right the page numbers and keeps the
current one in the middle of the pager component. When in the last pages,
the pages won't scroll and just keep moving until the last page. Pager also contains
<first, previous, ..., next, last> pages.
This component takes into account custom parameters such as search, status, and tags
which could be added to the pages link in order to maintain the state between
client and server. It also allows to make a bookmark on a specific paging state.
:param current_page: the current page number, 0-indexed
:param num_of_pages: the total number of pages
:param search: the search query string, if any
:param status: 'all', 'active', or 'paused'
:param tags: array of strings of the current filtered tags
:param window: the number of pages to be shown in the paging component (7 default)
:return: the HTML string of the paging component
"""
void_link = 'javascript:void(0)'
first_node = Markup(
"""<li class="paginate_button {disabled}" id="dags_first">
<a href="{href_link}" aria-controls="dags" data-dt-idx="0" tabindex="0">«</a>
</li>"""
)
previous_node = Markup(
"""<li class="paginate_button previous {disabled}" id="dags_previous">
<a href="{href_link}" aria-controls="dags" data-dt-idx="0" tabindex="0">‹</a>
</li>"""
)
next_node = Markup(
"""<li class="paginate_button next {disabled}" id="dags_next">
<a href="{href_link}" aria-controls="dags" data-dt-idx="3" tabindex="0">›</a>
</li>"""
)
last_node = Markup(
"""<li class="paginate_button {disabled}" id="dags_last">
<a href="{href_link}" aria-controls="dags" data-dt-idx="3" tabindex="0">»</a>
</li>"""
)
page_node = Markup(
"""<li class="paginate_button {is_active}">
<a href="{href_link}" aria-controls="dags" data-dt-idx="2" tabindex="0">{page_num}</a>
</li>"""
)
output = [Markup('<ul class="pagination" style="margin-top:0;">')]
is_disabled = 'disabled' if current_page <= 0 else ''
first_node_link = (
void_link if is_disabled else f'?{get_params(page=0, search=search, status=status, tags=tags)}'
)
output.append(
first_node.format(
href_link=first_node_link,
disabled=is_disabled,
)
)
page_link = void_link
if current_page > 0:
page_link = f'?{get_params(page=current_page - 1, search=search, status=status, tags=tags)}'
output.append(previous_node.format(href_link=page_link, disabled=is_disabled))
mid = int(window / 2)
last_page = num_of_pages - 1
if current_page <= mid or num_of_pages < window:
pages = list(range(0, min(num_of_pages, window)))
elif mid < current_page < last_page - mid:
pages = list(range(current_page - mid, current_page + mid + 1))
else:
pages = list(range(num_of_pages - window, last_page + 1))
def is_current(current, page):
return page == current
for page in pages:
vals = {
'is_active': 'active' if is_current(current_page, page) else '',
'href_link': void_link
if is_current(current_page, page)
else f'?{get_params(page=page, search=search, status=status, tags=tags)}',
'page_num': page + 1,
}
output.append(page_node.format(**vals))
is_disabled = 'disabled' if current_page >= num_of_pages - 1 else ''
page_link = (
void_link
if current_page >= num_of_pages - 1
else f'?{get_params(page=current_page + 1, search=search, status=status, tags=tags)}'
)
output.append(next_node.format(href_link=page_link, disabled=is_disabled))
last_node_link = (
void_link
if is_disabled
else f'?{get_params(page=last_page, search=search, status=status, tags=tags)}'
)
output.append(
last_node.format(
href_link=last_node_link,
disabled=is_disabled,
)
)
output.append(Markup('</ul>'))
return Markup('\n'.join(output))
from markupsafe import Markup, escape
# escape replaces special characters and wraps in Markup
escape("<script>alert(document.cookie);</script>")
Markup('<script>alert(document.cookie);</script>')
# wrap in Markup to mark text "safe" and prevent escaping
Markup("<strong>Hello</strong>")
Markup('<strong>hello</strong>')
escape(Markup("<strong>Hello</strong>"))
Markup('<strong>hello</strong>')
# Markup is a str subclass
# methods and operators escape their arguments
template = Markup("Hello <em>{name}</em>")
template.format(name='"World"')
Markup('Hello <em>"World"</em>')
def _venue_link(view, context, model, name) -> Markup:
url = _venue_url(model.venue)
link = Markup(
'<a href="{url}" target="_blank" rel="noopener noreferrer">{name}</a>')
return link.format(url=escape(url),
name=escape(model.venue.publicName or model.venue.name))
def _offerer_link(view, context, model, name) -> Markup:
url = _offerer_url(model.venue.managingOffererId)
link = Markup(
'<a href="{url}" target="_blank" rel="noopener noreferrer">{name}</a>')
return link.format(url=escape(url),
name=escape(model.venue.managingOfferer.name))
def format_html(cls, s_tmplt, *args, **kwargs):
m = Markup(s_tmplt)
return m.format(*args, **kwargs)
def test():
ts = TAINTED_STRING
# class `Markup` can be used for things that are already safe.
# if used with any text in a string operation, that other text will be escaped.
#
# see https://markupsafe.palletsprojects.com/en/2.0.x/
m_unsafe = Markup(TAINTED_STRING)
m_safe = Markup(SAFE)
# this 3 tests might look strange, but the purpose is to check we still treat `ts`
# as tainted even after it has been escaped in some place. This _might_ not be the
# case since data-flow library has taint-steps from adjacent uses...
ensure_tainted(ts) # $ tainted
ensure_not_tainted(
escape(ts)) # $ escapeInput=ts escapeKind=html escapeOutput=escape(..)
ensure_tainted(ts) # $ tainted
ensure_tainted(
ts, # $ tainted
m_unsafe, # $ tainted
m_unsafe +
SAFE, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
SAFE +
m_unsafe, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
m_unsafe.format(
SAFE
), # $ escapeInput=SAFE escapeKind=html escapeOutput=m_unsafe.format(..) MISSING: tainted
m_unsafe %
SAFE, # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
m_unsafe +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
m_safe.format(m_unsafe), # $ tainted
m_safe % m_unsafe, # $ tainted
escape(ts).unescape(
), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..) MISSING: tainted
escape_silent(ts).unescape(
), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..) MISSING: tainted
)
ensure_not_tainted(
escape(ts), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..)
escape_silent(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..)
Markup.escape(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=Markup.escape(..)
m_safe,
m_safe +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
ts +
m_safe, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
m_safe.format(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=m_safe.format(..)
m_safe %
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
escape(ts) +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape(..)
escape_silent(ts) +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape_silent(..)
Markup.escape(ts) +
ts, # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=Markup.escape(..)
)
# flask re-exports these, as:
# flask.escape = markupsafe.escape
# flask.Markup = markupsafe.Markup
import flask
ensure_tainted(
flask.Markup(ts), # $ tainted
)
ensure_not_tainted(
flask.escape(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=flask.escape(..)
flask.Markup.escape(
ts
), # $ escapeInput=ts escapeKind=html escapeOutput=flask.Markup.escape(..)
)
