Merge pull request #2 from suzu-devworks/develop

Develop
suzu-devworks · Jun 11, 2024 · bb429ee · bb429ee
2 parents 01f1dd9 + 773f713
commit bb429ee
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -3,6 +3,7 @@
 Workspace for studying Python web programming.
 
 [![pdm-managed](https://img.shields.io/badge/pdm-managed-blueviolet)](https://pdm.fming.dev)
+[![CodeQL](https://github.com/suzu-devworks/examples-py-web/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/suzu-devworks/examples-py-web/actions/workflows/github-code-scanning/codeql)
 
 
 # What is this repository for?

diff --git a/src/examples-flask-started/src/quickstart/_03_routing.py b/src/examples-flask-started/src/quickstart/_03_routing.py
@@ -58,7 +58,7 @@ def show_user_profile(username: str) -> str:
 @app.route("/post/<int:post_id>")
 def show_post(post_id: int) -> str:
     # show the post with the given id, the id is an integer
-    return f"Post {post_id}"
+    return f"Post {escape(post_id)}"
 
 
 @app.route("/path/<path:subpath>")

diff --git a/src/examples-flask-started/src/quickstart/_04_routing_url_building.py b/src/examples-flask-started/src/quickstart/_04_routing_url_building.py
@@ -22,6 +22,7 @@
 """
 
 from flask import Flask, url_for
+from markupsafe import escape
 
 app = Flask(__name__)
 
@@ -38,7 +39,7 @@ def login() -> str:
 
 @app.route("/user/<username>")
 def profile(username: str) -> str:
-    return f"{username}'s profile"
+    return f"{escape(username)}'s profile"
 
 
 if __name__ == "__main__":

diff --git a/src/examples-flask-started/src/quickstart/_07_accessing_request_data.py b/src/examples-flask-started/src/quickstart/_07_accessing_request_data.py
@@ -21,6 +21,7 @@
 """
 
 from flask import Flask, Response, make_response, render_template, request
+from markupsafe import escape
 from werkzeug.utils import secure_filename
 
 app = Flask(__name__)
@@ -60,7 +61,7 @@ def valid_login(username: str, password: str) -> bool:
 
 
 def log_the_user_in(username: str) -> str:
-    return f"{username} is login."
+    return f"{escape(username)} is login."
 
 
 """
@@ -75,7 +76,7 @@ def upload_file() -> str:
         file_name = secure_filename(str(file.filename))
         print(f"save file to: uploads/{file_name}")
         # file.save(f"uploads/{file_name}")
-    return f"OK: {file_name}, ({file.content_type})"
+    return f"OK: {escape(file_name)}, ({escape(file.content_type)})"
 
 
 """