Skip to content
Browse files

use |htmlentities and |urlencode filters in templates. fixes #1

  • Loading branch information...
1 parent 2c5c71a commit 499a5061b07ebee055bd0e8ef58956eca00c275e @RJ committed Oct 29, 2009
View
4 priv/www/auth.html
@@ -49,13 +49,13 @@
<div id="content">
<form method="post" action="/auth_2/" id="auth">
- <p>Allow access to Playdar from <a href="{{formvars.website}}">{{formvars.name}}</a></p>
+ <p>Allow access to Playdar from <a href="{{formvars.website|urlencode}}">{{formvars.name|force_escape}}</a></p>
<p class="buttons">
<input type="button" value="Deny" class="button" onclick="window.close();" />
<input type="submit" value="Allow" class="confirm button" />
</p>
{% for k, v in formvars %}
- <input type="hidden" name="{{k}}" value="{{v}}" />
+ <input type="hidden" name="{{k|force_escale}}" value="{{v|urlencode}}" />
{% endfor %}
</form>
</div>
View
4 priv/www/auth.na.html
@@ -37,8 +37,8 @@
</a>
<div id="content">
- <p>You have allowed access to Playdar from <a href="{{website}}">{{name}}</a></p>
+ <p>You have allowed access to Playdar from <a href="{{website|urlencode}}">{{name|force_escape}}</a></p>
<p>Copy and paste this authentication <strong>token</strong> into the status bar then close this window.</p>
- <p>Token: <input type="text" value="{{authcode}}" size="35" onclick="this.focus(); this.select();" />
+ <p>Token: <input type="text" value="{{authcode|urlencode}}" size="35" onclick="this.focus(); this.select();" />
</body>
</html>
View
2 priv/www/authcodes.html
@@ -2,7 +2,7 @@
<h2>List of Authenticated Clients</h2>
{% for c in codes %}
-<a onclick="return confirm('Revoke this auth code?');" href="/authcodes?revoke={{c.code}}">{{c.code}}</a> / {{c.name}} / {{c.website}} <br/>
+<a onclick="return confirm('Revoke this auth code?');" href="/authcodes?revoke={{c.code}}">{{c.code}}</a> / {{c.name|force_escape}} / {{c.website|force_escape}} <br/>
{% endfor %}
</body>
View
12 priv/www/index.html
@@ -10,8 +10,8 @@
</tr>
{% for r in resolvers %}
<tr style="background-color: {% cycle white,lightyellow %}">
-<td>{{ r.name }}</td>
-<td>{{ r.mod }} </td>
+<td>{{ r.name|force_escape }}</td>
+<td>{{ r.mod|force_escape }} </td>
<td>{{ r.weight }}</td>
<td>{{ r.targettime }}</td>
<td>{{ r.localonly }}</td>
@@ -24,13 +24,13 @@
<table>
{% for p in http_paths %}
<tr>
-<td> <b>{{p.prefix}}</b> </td>
+<td> <b>{{p.prefix|force_escape}}</b> </td>
<td>
{% if p.menu_url %}
-<a href="{{p.menu_url}}">
+<a href="{{p.menu_url|urlencode}}">
{% endif %}
{% if p.menu_text %}
-{{p.menu_text}}
+{{p.menu_text|force_escape}}
{% endif %}
{% if p.menu_url %}
</a>
@@ -43,7 +43,7 @@
<h3>Protocols Supported</h3>
<ul>
{% for p in protocols %}
-<li>{{p}}://</li>
+<li>{{p|force_escape}}://</li>
{% endfor %}
</ul>
View
12 priv/www/playdartcp/index.html
@@ -12,12 +12,12 @@
</tr>
{% for p in peers %}
<tr style="background-color: {% cycle white,lightyellow %}">
-<td>{{ p.name }}</td>
-<td>{{ p.pid }} </td>
-<td>{{ p.stats.recv_oct }}</td>
-<td>{{ p.stats.send_oct }}</td>
-<td>{{ p.conndate }}</td>
-<td>{{p.weshare}} / {{p.theyshare}}</td>
+<td>{{ p.name|force_escape }}</td>
+<td>{{ p.pid|force_escape }} </td>
+<td>{{ p.stats.recv_oct|force_escape }}</td>
+<td>{{ p.stats.send_oct|force_escape }}</td>
+<td>{{ p.conndate|force_escape }}</td>
+<td>{{p.weshare|force_escape}} / {{p.theyshare|force_escape}}</td>
<td><a onclick="return confirm('Sure you want to disconnect this peer?');"
href="/p2p?ftok={{ftok}}&disconnect={{p.name|urlencode}}">disconnect</a></td>
</tr>
View
4 priv/www/queries.html
@@ -2,9 +2,9 @@
<h2>Queries</h2>
{% for q in queries %}
-<a href="/queries/{{ q.qid }}">{{ q.qid }}</a> [{{ q.num_results }} results]<br/>
+<a href="/queries/{{ q.qid|urlencode }}">{{ q.qid|force_escape }}</a> [{{ q.num_results|force_escape }} results]<br/>
<pre>
-{{ q.qry }}
+{{ q.qry|force_escape }}
</pre><br/>
{% endfor %}
View
8 priv/www/query.html
@@ -12,10 +12,10 @@
</tr>
{% for r in results %}
<tr>
-<td><a href="/sid/{{ r.sid }}">{{ r.sid }}</a></td>
-<td>{{ r.score }}</td>
-<td>{{ r.artist }}</td>
-<td>{{ r.track }}</td>
+<td><a href="/sid/{{ r.sid|urlencode }}">{{ r.sid|force_escape }}</a></td>
+<td>{{ r.score|force_escape }}</td>
+<td>{{ r.artist|force_escape }}</td>
+<td>{{ r.track|force_escape }}</td>
</tr>
{% endfor %}
</table>

0 comments on commit 499a506

Please sign in to comment.
Something went wrong with that request. Please try again.