Permalink
Browse files

fixed major security flaw

  • Loading branch information...
1 parent 1effac1 commit 2bc64048a5ff59e53d6700f7e5e72dc628445667 @drewlesueur committed Jan 5, 2010
Showing with 13 additions and 1 deletion.
  1. +6 −0 form.py
  2. BIN form.pyc
  3. +7 −1 form.py~
View
6 form.py
@@ -244,6 +244,12 @@ def just_form():
def form(row):
+ import cgi
+ for x in row:
+ val = cgi.escape(row[x])
+ del row[x]
+ x = cgi.escape(x)
+ row[x] = val
return """<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js"></script>
<script src="http://gist.github.com/raw/256759/15a5ba42e7f70bbc7c459064501cb964c706de99/jquery-json.js"></script>""" + " some fields might replace &amp; with &amp;amp; and &lt; with &amp;lt; etc. " + just_form() + """<input type = "submit" value = "Submit">
</form>""" + "<div id = 'row' style='display:none;'>" + simplejson.dumps(row, indent = 4) + "</div>" + """
View
BIN form.pyc
Binary file not shown.
View
8 form.py~
@@ -244,8 +244,14 @@ I understand that participants will be sent home if any drugs, alcohol, or cigar
def form(row):
+ import cgi
+ for x in row:
+ val = cgi.escape(row[x])
+ del row[x]
+ x = cgi.escape(x)
+ row[x] = val
return """<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js"></script>
-<script src="http://gist.github.com/raw/256759/15a5ba42e7f70bbc7c459064501cb964c706de99/jquery-json.js"></script>""" + " some fields might replace &amp; with &amp;amp; and &lt; with &lt;lt; etc. " + just_form() + """<input type = "submit" value = "Submit">
+<script src="http://gist.github.com/raw/256759/15a5ba42e7f70bbc7c459064501cb964c706de99/jquery-json.js"></script>""" + " some fields might replace &amp; with &amp;amp; and &lt; with &amp;lt; etc. " + just_form() + """<input type = "submit" value = "Submit">
</form>""" + "<div id = 'row' style='display:none;'>" + simplejson.dumps(row, indent = 4) + "</div>" + """
<script>
$(document).ready(function(){

0 comments on commit 2bc6404

Please sign in to comment.