koji

Clone

#4199 Escape HTML tag characters in the query string
Closed 6 months ago by mikem. Opened 7 months ago by taliaferro-llnl.
taliaferro-llnl/koji kojiweb-html-escape  into  master

file modified
+2 -1 
@@ -20,6 +20,7 @@ 
 

  #       Mike McLean <mikem@redhat.com>
 

  

  import cgi
 

+ import html
 

  import inspect
 

  import logging
 

  import os.path
 
@@ -250,7 +251,7 @@ 
 

              if field.filename:
 

                  val = field
 

              else:
 

-                 val = field.value
 

+                 val = html.escape(field.value)
 

              data.setdefault(field.name, []).append(val)
 

          # replace singleton lists with single values
 

          # XXX - this is a bad practice, but for now we strive to emulate mod_python.publisher

Currently, the fields in the query string are not sanitized for special characters; using html.escape() we can remove HTML tag characters to prevent them from making their way back out into the rendered template.

The dispatcher is not really the right place to handle such escaping. The handlers are not expecting html-escaped strings.
Edited 6 months ago by mikem

Closed in favor of #4215

Pull-Request has been closed by mikem
6 months ago
Metadata
None
No Tags
Changes Summary 1
+2 -1
file changed
www/kojiweb/wsgi_publisher.py
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.