Prevent from XSS

JmPotato · Dec 29, 2018 · be1914e · be1914e
1 parent 3094124
commit be1914e
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/Pomash/libs/handler.py b/Pomash/libs/handler.py
@@ -5,14 +5,19 @@
 import mistune
 import tornado.web
 
-
 from urllib.parse import unquote, quote
 
 from .models import *
 from .markdown import *
-from tornado.escape import to_unicode
+from tornado.escape import to_unicode, xhtml_escape
 
 class BaseHandler(tornado.web.RequestHandler):
+    def get_pure_title(self, title):
+        return re.sub('''<("[^"]*"|'[^']*'|[^'">])*>''', "", title).strip()
+
+    def escape_string(self, s):
+        return xhtml_escape(s)
+
     def description(self, text):
         if len(text) <= 200:
             return re.sub('(<.*?>)', '', text).replace('\n', ' ')[:int(len(text)/2-4)] + '...'

diff --git a/Pomash/theme/clean/templates/editor.html b/Pomash/theme/clean/templates/editor.html
@@ -64,11 +64,11 @@ <h1 id="title">Editor</h1>
         <form action="#" method="post" id="article_editor">
             <div class="input">
                 <label for="title">Title</label>
-                <input id="title" name="title" type="text" value="{% if not is_page and not new %}{{ article.title }}{% elif is_page and not new %}{{ content.title }}{% end %}" style="width:100%;">
+                <input id="title" name="title" type="text" value="{% if not is_page and not new %}{{ handler.escape_string(article.title) }}{% elif is_page and not new %}{{ handler.escape_string(content.title) }}{% end %}" style="width:100%;">
             </div>
             <div v-if="!is_page" class="input">
                 <label for="tag">Tag</label>
-                <input id="tag" name="tag" type="text" value="{% if not is_page and not new %}{{ article.tag }}{% end %}" style="width:100%;">
+                <input id="tag" name="tag" type="text" value="{% if not is_page and not new %}{{ handler.escape_string(article.tag) }}{% end %}" style="width:100%;">
             </div>
             <div class="input">
                 <label for="content">Content</label>

diff --git a/Pomash/theme/clean/templates/page.html b/Pomash/theme/clean/templates/page.html
@@ -1,6 +1,22 @@
 {% extends 'layout.html' %}
 
-{% block title %} | {{ article.title }}{% end %}
+{% block title %} | {{ handler.get_pure_title(article.title) }}{% end %}
+
+{% block head %}
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.10.0/dist/katex.min.css" integrity="sha384-9eLZqc9ds8eNjO3TmqPeYcDj8n+Qfa4nuSiGYa6DjLNcv9BtN69ZIulL9+8CqC9Y" crossorigin="anonymous">
+    <script defer src="https://cdn.jsdelivr.net/npm/katex@0.10.0/dist/katex.min.js" integrity="sha384-K3vbOmF2BtaVai+Qk37uypf7VrgBubhQreNQe9aGsz9lB63dIFiQVlJbr92dw2Lx" crossorigin="anonymous"></script>
+    <script defer src="https://cdn.jsdelivr.net/npm/katex@0.10.0/dist/contrib/auto-render.min.js" integrity="sha384-kmZOZB5ObwgQnS/DuDg6TScgOiWWBiVt0plIRkZCmE6rDZGrEOQeHM5PcHi+nyqe" crossorigin="anonymous"></script>
+    <script>
+        document.addEventListener("DOMContentLoaded", function() {
+            renderMathInElement(document.getElementById("article"), {
+                delimiters: [
+                    {left: "$$", right: "$$", display: true},
+                    {left: "$", right: "$", display: false}
+                ]
+            });
+        });
+    </script>
+{% end %}
 
 {% block content %}
 <div class="post">