Skip to content
Browse files

escaping incoming string with cgi... oh that xss... oh that xss

  • Loading branch information...
1 parent 03d46cb commit af0948750224b38c7eb2454485cd9e81354ea087 @DFectuoso DFectuoso committed Aug 3, 2010
Showing with 8 additions and 3 deletions.
  1. +8 −3 main.py
View
11 main.py
@@ -11,7 +11,9 @@
from django.utils import simplejson
from django.template.defaultfilters import timesince
-import dojo_name_api, keys, notify_io, logging
+import dojo_name_api, keys, notify_io, logging, cgi
+
+
#CONSTANTS#
UPDATES_LIMIT = 10
@@ -26,6 +28,9 @@ def str_to_bool(str):
if str == "true": return True
else: return False
+def sanitizeHtml(value):
+ return cgi.escape(value)
+
def sendNotifyIoNotifications(update):
profiles = Profile.all().filter('notifyIoNotification =',True)
for profile in profiles:
@@ -111,7 +116,7 @@ def post(self, update_id):
if update:
image = 'http://0.gravatar.com/avatar/%s' % hashlib.md5(str(users.get_current_user()) + DOMAIN).hexdigest()
comment = Comment(
- body=self.request.get('body'),
+ body=sanitizeHtml(self.request.get('body')),
update=update,
image_url=image)
comment.put()
@@ -131,7 +136,7 @@ def get(self):
def post(self):
image = 'http://0.gravatar.com/avatar/%s' % hashlib.md5(str(users.get_current_user()) + DOMAIN).hexdigest()
- update = Update(body=self.request.get('body'),image_url=image)
+ update = Update(body=sanitizeHtml(self.request.get('body')),image_url=image)
sendEmailNotifications(update)
sendNotifyIoNotifications(update)
update.put()

0 comments on commit af09487

Please sign in to comment.
Something went wrong with that request. Please try again.