Permalink
Browse files

better way to sanitize homepage

  • Loading branch information...
kjk committed Jan 10, 2011
1 parent 0a428d6 commit 687f61cdbc1dc580f1013cdff9ffe562fc2346a5
Showing with 15 additions and 8 deletions.
  1. +10 −8 main.py
  2. +5 −0 todo.txt
View
18 main.py
@@ -676,6 +676,14 @@ def get(self):
self.response.headers['Content-Type'] = 'text/xml'
self.response.out.write(feedtxt)
+def sanitize_homepage(s):
+ # prevent javascript injection
+ if not (s.startswith("http://") or s.startswith("https://")):
+ return ""
+ # 'http://' is the default value we put, so if unchanged, consider it
+ # as not given at all
+ if s == "http://": return ""
+ return s
# responds to /<forumurl>/email[?post_id=<post_id>]
class EmailForm(FofouBase):
@@ -805,6 +813,7 @@ def post(self):
except ValueError:
validCaptcha = False
+ homepage = sanitize_homepage(homepage)
tvals = {
'siteroot' : siteroot,
'forum' : forum,
@@ -821,14 +830,7 @@ def post(self):
"prevTopicId" : topic_id,
"log_in_out" : get_log_in_out(siteroot + "post")
}
-
- # 'http://' is the default value we put, so if unchanged, consider it
- # as not given at all
- if homepage == "http://": homepage = ""
- # prevent javascript injection
- if not (homepage.startswith("http://") or homepage.startswith("https://")):
- homepage = ""
-
+
# validate captcha and other values
errclass = None
if not validCaptcha or (captcha != (num1 + num2)): errclass = 'captcha_class'
View
@@ -7,7 +7,12 @@ Of course, there's always something to improve and below is my whishlist. I'm
sure you'll have no trouble coming up with your own list of possible
improvements.
+TODO:
+ - fix cookie expire time as in https://github.com/solsticedhiver/fofou/commit/19b864fde9e0ba3fc9f24e2bb4b11a7408385778
+
TODO nice to have:
+ - use self.request.remote_addr instead of os.environ['REMOTE_ADDR'] as in
+ https://github.com/solsticedhiver/fofou/commit/0f2b8a46435fa056cc93052ea929db5819eb9b2c
- unchecking 'remember me' on post doesn't seem to make us forget
- comment count should only count non-deleted posts
- mass delete of posts from a given ip address and/or user account

0 comments on commit 687f61c

Please sign in to comment.