sanitize more output by stripping tags and escaping html

kjk · Jun 19, 2011 · 36acb17 · 36acb17
1 parent d40b66d
commit 36acb17
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 72 deletions.
diff --git a/index.yaml b/index.yaml
@@ -1,66 +1,66 @@
-indexes:
-
-- kind: Post
-  properties:
-  - name: forum
-  - name: is_deleted
-  - name: topic
-  - name: created_on
-
-# AUTOGENERATED
-
-# This index.yaml is automatically updated whenever the dev_appserver
-# detects that a new type of query is run.  If you want to manage the
-# index.yaml file manually, remove the above marker line (the line
-# saying "# AUTOGENERATED").  If you want to manage some indexes
-# manually, move them above the marker line.  The index.yaml file is
-# automatically uploaded to the admin console when you next deploy
-# your application using appcfg.py.
-
-- kind: Post
-  properties:
-  - name: forum
-  - name: is_deleted
-  - name: created_on
-    direction: desc
-
-- kind: Post
-  properties:
-  - name: forum
-  - name: topic
-  - name: created_on
-
-- kind: Post
-  properties:
-  - name: is_deleted
-  - name: topic
-  - name: created_on
-
-- kind: Post
-  properties:
-  - name: topic
-  - name: created_on
-
-- kind: Post
-  properties:
-  - name: topic
-  - name: created_on
-    direction: desc
-
-- kind: Topic
-  properties:
-  - name: forum
-  - name: created_on
-
-- kind: Topic
-  properties:
-  - name: forum
-  - name: created_on
-    direction: desc
-
-- kind: Topic
-  properties:
-  - name: forum
-  - name: is_deleted
-  - name: created_on
-    direction: desc
+indexes:
+
+- kind: Post
+  properties:
+  - name: forum
+  - name: is_deleted
+  - name: topic
+  - name: created_on
+
+# AUTOGENERATED
+
+# This index.yaml is automatically updated whenever the dev_appserver
+# detects that a new type of query is run.  If you want to manage the
+# index.yaml file manually, remove the above marker line (the line
+# saying "# AUTOGENERATED").  If you want to manage some indexes
+# manually, move them above the marker line.  The index.yaml file is
+# automatically uploaded to the admin console when you next deploy
+# your application using appcfg.py.
+
+- kind: Post
+  properties:
+  - name: forum
+  - name: is_deleted
+  - name: created_on
+    direction: desc
+
+- kind: Post
+  properties:
+  - name: forum
+  - name: topic
+  - name: created_on
+
+- kind: Post
+  properties:
+  - name: is_deleted
+  - name: topic
+  - name: created_on
+
+- kind: Post
+  properties:
+  - name: topic
+  - name: created_on
+
+- kind: Post
+  properties:
+  - name: topic
+  - name: created_on
+    direction: desc
+
+- kind: Topic
+  properties:
+  - name: forum
+  - name: created_on
+
+- kind: Topic
+  properties:
+  - name: forum
+  - name: created_on
+    direction: desc
+
+- kind: Topic
+  properties:
+  - name: forum
+  - name: is_deleted
+  - name: created_on
+    direction: desc
diff --git a/skins/default/topic.html b/skins/default/topic.html
@@ -59,9 +59,9 @@ <h3>{{ topic.subject|escape }}</h3>
 							{% endif %}
 						{% endif %}
 						{% if post.user_homepage %}
-							<a href="{{ post.user_homepage }}">{{ post.user_name|escape }}</a>
+							<a href="{{ post.user_homepage }}">{{ post.user_name|striptags|escape }}</a>
 						{% else %}
-							{{ post.user_name|escape }}
+							{{ post.user_name|striptags|escape }}
 						{% endif %}
 						<span class="noIE">&nbsp;</span><br />
 						{{ post.created_on|date:"F jS, Y g:ia" }}

diff --git a/skins/default/topic_list.html b/skins/default/topic_list.html
@@ -48,12 +48,12 @@ <h1><a href="{{ siteroot }}" class="green">{{ forum.title_or_url }}</a></h1>
 			There are no topics. You better create one.
 		{% else %}
 		{% for topic in topics %}
-		  {% if topic.is_deleted %}
-				<a class="deleted" href="{{ siteroot }}topic?id={{ topic.key.id }}{% if topic.ncomments %}&comments={{ topic.ncomments }}{% endif %}" title="{{ topic.msg_short }}">{{ topic.subject|escape }}</a>
+		    {% if topic.is_deleted %}
+				<a class="deleted" href="{{ siteroot }}topic?id={{ topic.key.id }}{% if topic.ncomments %}&comments={{ topic.ncomments }}{% endif %}" title="{{ topic.msg_short|striptags|escape }}">{{ topic.subject|escape }} </a>
 			{% else %}
-				<a href="{{ siteroot }}topic?id={{ topic.key.id }}{% if topic.ncomments %}&comments={{ topic.ncomments }}{% endif %}" title="{{ topic.msg_short }}">{{ topic.subject|escape }}</a>
+				<a href="{{ siteroot }}topic?id={{ topic.key.id }}{% if topic.ncomments %}&comments={{ topic.ncomments }}{% endif %}" title="{{ topic.msg_short|striptags|escape }}">{{ topic.subject|escape }} </a>
 			{% endif %}
-			<em>{{ topic.created_by }}</em> <span>({{ topic.ncomments }}{% if forloop.first %} comment{{ topic.ncomments|pluralize }}{% endif %})</span>
+			<em>{{ topic.created_by|striptags|escape }}</em> <span>({{ topic.ncomments }}{% if forloop.first %} comment{{ topic.ncomments|pluralize }}{% endif %})</span>
 			<br />
 			{% if not forloop.first %}
 				<div class="dateline"></div>