Skip to content

Commit

Permalink
fix many error with html unescaped attributes
Browse files Browse the repository at this point in the history
  • Loading branch information
@kakwa
kakwa committed Jul 8, 2016
1 parent 91a1f3e commit 0beac11
Show file tree
Hide file tree
Showing 5 changed files with 543 additions and 6 deletions.
38 changes: 32 additions & 6 deletions ldapcherry/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
from operator import itemgetter
from socket import error as socket_error
import base64
import cgi

from exceptions import *
from ldapcherry.lclogging import *
Expand Down Expand Up @@ -54,6 +55,31 @@ def _handle_exception(self, e):
traceback=True
)

def _escape_list(self, data):
ret = []
for i in data:
ret.append(cgi.escape(i, True))

def _escape_dict(self, data):
for d in data:
if isinstance(data[d], list):
data[d] = self._escape_list(data[d])
elif isinstance(data[d], dict):
data[d] = self._escape_dict(data[d])
else:
data[d] = cgi.escape(data[d], True)
return data

def _escape(self, data, dtype):
if data is None:
return None
elif dtype == 'search_list':
for d in data:
data[d] = self._escape_dict(data[d])
elif dtype == 'attr_list':
data = self._escape_dict(data)
return data

def _get_param(self, section, key, config, default=None):
""" Get configuration parameter "key" from config
@str section: the section of the config file
Expand Down Expand Up @@ -895,7 +921,7 @@ def index(self):
return self.temp['index.tmpl'].render(
is_admin=is_admin,
attrs_list=attrs_list,
searchresult=user_attrs,
searchresult=self._escape(user_attrs, 'attr_list'),
notifications=self._empty_notification(),
)

Expand All @@ -911,7 +937,7 @@ def searchuser(self, searchstring=None):
res = None
attrs_list = self.attributes.get_search_attributes()
return self.temp['searchuser.tmpl'].render(
searchresult=res,
searchresult=self._escape(res, 'search_list'),
attrs_list=attrs_list,
is_admin=is_admin,
custom_js=self.custom_js,
Expand Down Expand Up @@ -948,7 +974,7 @@ def searchadmin(self, searchstring=None):
res = None
attrs_list = self.attributes.get_search_attributes()
return self.temp['searchadmin.tmpl'].render(
searchresult=res,
searchresult=self._escape(res, 'search_list'),
attrs_list=attrs_list,
is_admin=is_admin,
custom_js=self.custom_js,
Expand Down Expand Up @@ -1053,7 +1079,7 @@ def modify(self, user=None, **params):
key = self.attributes.get_key()
form = self.temp['form.tmpl'].render(
attributes=self.attributes.attributes,
values=user_attrs,
values=self._escape(user_attrs, 'attr_list'),
modify=True,
keyattr=key,
autofill=False
Expand All @@ -1069,7 +1095,7 @@ def modify(self, user=None, **params):
form=form,
roles=roles,
is_admin=is_admin,
standalone_groups=user_lonely_groups,
standalone_groups=self._escape(user_lonely_groups, 'attr_list'),
backends_display_names=self.backends_display_names,
custom_js=self.custom_js,
notifications=self._empty_notification(),
Expand Down Expand Up @@ -1115,7 +1141,7 @@ def selfmodify(self, **params):
)
form = self.temp['form.tmpl'].render(
attributes=self.attributes.get_selfattributes(),
values=user_attrs,
values=self._escape(user_attrs, 'attr_list'),
modify=True,
autofill=False
)
Expand Down
2 changes: 2 additions & 0 deletions resources/templates/form.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ for a in sorted(attributes.keys(), key=lambda attr: attributes[attr]['weight']):
tmp = values[a][0]
else:
tmp = values[a]
if tmp is None:
tmp = ''
value = ' value="'+ tmp + '"'
value2 = '<option>'+ tmp +'</option>'
else:
Expand Down

0 comments on commit 0beac11

Please sign in to comment.