diff options
25 files changed, 71 insertions, 59 deletions
diff --git a/askbot/management/commands/askbot_add_test_content.py b/askbot/management/commands/askbot_add_test_content.py index 6b14df59..ace629d0 100644 --- a/askbot/management/commands/askbot_add_test_content.py +++ b/askbot/management/commands/askbot_add_test_content.py @@ -14,21 +14,23 @@ NUM_COMMENTS = 20 # karma. This can be calculated dynamically - max of MIN_REP_TO_... settings INITIAL_REPUTATION = 500 +BAD_STUFF = "<script>alert('hohoho')</script>" + # Defining template inputs. -USERNAME_TEMPLATE = "test_user_%s" +USERNAME_TEMPLATE = BAD_STUFF + "test_user_%s" PASSWORD_TEMPLATE = "test_password_%s" EMAIL_TEMPLATE = "test_user_%s@askbot.org" -TITLE_TEMPLATE = "Test question title No.%s" -TAGS_TEMPLATE = ["tag-%s-0", "tag-%s-1"] # len(TAGS_TEMPLATE) tags per question +TITLE_TEMPLATE = "Test question title No.%s" + BAD_STUFF +TAGS_TEMPLATE = [BAD_STUFF + "tag-%s-0", BAD_STUFF + "tag-%s-1"] # len(TAGS_TEMPLATE) tags per question -CONTENT_TEMPLATE = """Lorem lean startup ipsum product market fit customer +CONTENT_TEMPLATE = BAD_STUFF + """Lorem lean startup ipsum product market fit customer development acquihire technical cofounder. User engagement **A/B** testing *shrink* a market venture capital pitch.""" -ANSWER_TEMPLATE = """Accelerator photo sharing business school drop out ramen +ANSWER_TEMPLATE = BAD_STUFF + """Accelerator photo sharing business school drop out ramen hustle crush it revenue traction platforms.""" -COMMENT_TEMPLATE = """Main differentiators business model micro economics +COMMENT_TEMPLATE = BAD_STUFF + """Main differentiators business model micro economics marketplace equity augmented reality human computer""" diff --git a/askbot/models/__init__.py b/askbot/models/__init__.py index b4ce350f..c4c11cb4 100644 --- a/askbot/models/__init__.py +++ b/askbot/models/__init__.py @@ -13,6 +13,7 @@ from django.utils.translation import ugettext as _ from django.utils.translation import ungettext from django.contrib.auth.models import User from django.utils.safestring import mark_safe +from django.utils.html import escape from django.db import models from django.conf import settings as django_settings from django.contrib.contenttypes.models import ContentType @@ -38,6 +39,7 @@ from askbot.models.repute import Award, Repute, Vote from askbot import auth from askbot.utils.decorators import auto_now_timestamp from askbot.utils.slug import slugify +from askbot.utils.html import sanitize_html from askbot.utils.diff import textDiff as htmldiff from askbot.utils.url_utils import strip_path from askbot import mail @@ -2094,7 +2096,7 @@ def user_get_absolute_url(self): def get_profile_link(self): profile_link = u'<a href="%s">%s</a>' \ - % (self.get_profile_url(),self.username) + % (self.get_profile_url(), escape(self.username)) return mark_safe(profile_link) @@ -2684,8 +2686,8 @@ def format_instant_notification_email( revisions = post.revisions.all()[:2] assert(len(revisions) == 2) content_preview = htmldiff( - revisions[1].html, - revisions[0].html, + sanitize_html(revisions[1].html), + sanitize_html(revisions[0].html), ins_start = '<b><u style="background-color:#cfc">', ins_end = '</u></b>', del_start = '<del style="color:#600;background-color:#fcc">', diff --git a/askbot/models/post.py b/askbot/models/post.py index 673b4c6f..c08b940b 100644 --- a/askbot/models/post.py +++ b/askbot/models/post.py @@ -399,9 +399,8 @@ class Post(models.Model): extra_authors = set() for name_seed in extra_name_seeds: - extra_authors.update(User.objects.filter( - username__istartswith = name_seed - ) + extra_authors.update( + User.objects.filter(username__istartswith = name_seed) ) #it is important to preserve order here so that authors of post @@ -470,9 +469,12 @@ class Post(models.Model): #because generic relation needs primary key of the related object super(self.__class__, self).save(**kwargs) if last_revision: - diff = htmldiff(last_revision, self.html) + diff = htmldiff( + sanitize_html(last_revision), + sanitize_html(self.html) + ) else: - diff = self.get_snippet() + diff = sanitize_html(self.get_snippet()) timestamp = self.get_time_of_last_edit() diff --git a/askbot/models/repute.py b/askbot/models/repute.py index 09e74067..33ec3a42 100644 --- a/askbot/models/repute.py +++ b/askbot/models/repute.py @@ -1,9 +1,10 @@ +import datetime from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes import generic from django.contrib.auth.models import User from django.db import models from django.utils.translation import ugettext as _ -import datetime +from django.utils.html import escape from askbot import const from django.core.urlresolvers import reverse @@ -242,7 +243,7 @@ class Repute(models.Model): return '<a href="%(url)s" title="%(link_title)s">%(question_title)s</a>' \ % { 'url': self.question.get_absolute_url(), - 'question_title': self.question.thread.title, - 'link_title': link_title + 'question_title': escape(self.question.thread.title), + 'link_title': escape(link_title) } diff --git a/askbot/skins/common/templates/question/closed_question_info.html b/askbot/skins/common/templates/question/closed_question_info.html index 87d9379c..f6f3f557 100644 --- a/askbot/skins/common/templates/question/closed_question_info.html +++ b/askbot/skins/common/templates/question/closed_question_info.html @@ -1,5 +1,5 @@ <div class="question-status"> <h3>{% trans close_reason=thread.get_close_reason_display() %}The question has been closed for the following reason <b>"{{ close_reason }}"</b> <i>by{% endtrans %} - <a href="{{ thread.closed_by.get_profile_url() }}">{{ thread.closed_by.username }}</a> </i><br> + <a href="{{ thread.closed_by.get_profile_url() }}">{{ thread.closed_by.username|escape }}</a> </i><br> {% trans closed_at=thread.closed_at %}close date {{closed_at}}{% endtrans %}</h3> </div> diff --git a/askbot/skins/default/templates/badge.html b/askbot/skins/default/templates/badge.html index d1f75617..b2c4ce8b 100644 --- a/askbot/skins/default/templates/badge.html +++ b/askbot/skins/default/templates/badge.html @@ -20,7 +20,7 @@ <div class="user"> <ul> <li class="thumb">{{ gravatar(recipient, 32) }}</li> - <li><a href="{{ recipient.get_absolute_url() }}">{{recipient.username}}</a></li> + <li><a href="{{ recipient.get_absolute_url() }}">{{recipient.username|escape}}</a></li> <li>{{ macros.user_score_and_badge_summary(recipient) }}</li> </ul> </div> diff --git a/askbot/skins/default/templates/email/ask_for_signature.html b/askbot/skins/default/templates/email/ask_for_signature.html index e4449433..cafeee2b 100644 --- a/askbot/skins/default/templates/email/ask_for_signature.html +++ b/askbot/skins/default/templates/email/ask_for_signature.html @@ -1,6 +1,6 @@ {% import "email/macros.html" as macros %} <p style="{{ macros.heading_style() }}"> - {% trans %}{{ username }}, please reply to this message.{% endtrans %} + {% trans user=username|escape %}{{ user }}, please reply to this message.{% endtrans %} </p> <p> {% trans %}Your post could not be published, because we could not detect signature in your email.{% endtrans %}<br/> diff --git a/askbot/skins/default/templates/email/insufficient_rep_to_post_by_email.html b/askbot/skins/default/templates/email/insufficient_rep_to_post_by_email.html index da4c93ca..284cc1b0 100644 --- a/askbot/skins/default/templates/email/insufficient_rep_to_post_by_email.html +++ b/askbot/skins/default/templates/email/insufficient_rep_to_post_by_email.html @@ -6,7 +6,7 @@ * site_link - html for the link #} <p style="{{ macros.heading_style() }}"> - {% trans %}{{ username }}, your question could not be posted by email just yet.{% endtrans %} + {% trans user=username|escape %}{{ username }}, your question could not be posted by email just yet.{% endtrans %} </p> <p> {% trans %}To make posts by email, you need to receive about {{min_upvotes}} upvotes.{% endtrans %}<br/> diff --git a/askbot/skins/default/templates/email/macros.html b/askbot/skins/default/templates/email/macros.html index 1acbf515..d7817bf9 100644 --- a/askbot/skins/default/templates/email/macros.html +++ b/askbot/skins/default/templates/email/macros.html @@ -7,7 +7,7 @@ %} {% spaceless %} {{ start_quote(quote_level) }} - {% set author = post.author.username %} + {% set author = post.author.username|escape %} {% if post.post_type == 'question' %} <p> {% if format == 'parent_subthread' %} diff --git a/askbot/skins/default/templates/feedback.html b/askbot/skins/default/templates/feedback.html index 85b5d00a..04b9a5b4 100644 --- a/askbot/skins/default/templates/feedback.html +++ b/askbot/skins/default/templates/feedback.html @@ -11,7 +11,7 @@ <form method="post" action="{% url feedback %}" accept-charset="utf-8">{% csrf_token %} {% if user.is_authenticated() %} <p class="message"> - {% trans user_name=user.username %} + {% trans user_name=user.username|escape %} <span class='big strong'>Dear {{user_name}}</span>, we look forward to hearing your feedback. Please type and send us your message below. {% endtrans %} diff --git a/askbot/skins/default/templates/help.html b/askbot/skins/default/templates/help.html index 7dc58f5d..204fc086 100644 --- a/askbot/skins/default/templates/help.html +++ b/askbot/skins/default/templates/help.html @@ -4,7 +4,7 @@ <h1 class='section-title'>{% trans %}Help{% endtrans %}</h1> <p> {% if request.user.is_authenticated() %} - {% trans username = request.user.username %}Welcome {{username}},{% endtrans %} + {% trans username = request.user.username|escape %}Welcome {{username}},{% endtrans %} {% else %} {% trans %}Welcome,{% endtrans %} {% endif %} diff --git a/askbot/skins/default/templates/macros.html b/askbot/skins/default/templates/macros.html index 485713aa..3e463c1c 100644 --- a/askbot/skins/default/templates/macros.html +++ b/askbot/skins/default/templates/macros.html @@ -10,7 +10,7 @@ {# follow - boolean; name - object type name; alias - e.g. users name; id - object id #} <div class="follow-toggle follow-user-toggle" - id="follow-{{ name }}-{{ id }}" + id="follow-{{ name|escape }}-{{ id }}" > {% if follow %} <div class="follow">{% trans %}follow {{alias}}{% endtrans %}</div> @@ -29,18 +29,18 @@ <div class="face"> {{ gravatar(response.user, 48) }} </div> - <a style="font-size:12px" href="{{ response.user.get_absolute_url() }}">{{ response.user.username }}</a> + <a style="font-size:12px" href="{{ response.user.get_absolute_url() }}">{{ response.user.username|escape }}</a> <a style="text-decoration:none;" href="{{ response.response_url }}"> {{ response.response_type }} ({{ timeago(response.timestamp) }}):<br/> {% if inbox_section != 'flags' %} - {{ response.response_snippet }} + {{ response.response_snippet|escape }} {% endif %} </a> {% if inbox_section == 'flags' %} <a class="re_expand" href="{{ response.response_url }}"> - <!--div class="re_snippet">{{ response.response_snippet }}</div--> - <div class="re_content">{{ response.response_content }}</div> + <!--div class="re_snippet">{{ response.response_snippet|escape }}</div--> + <div class="re_content">{{ response.response_content|escape }}</div> </a> {% endif %} </div> @@ -291,14 +291,14 @@ poor design of the data or methods on data objects #} class="tag tag-right{% if css_class %} {{ css_class }}{% endif %}" {% if is_link %} href="{{ search_state.add_tag(tag).full_url() }}" - title="{% trans %}see questions tagged '{{ tag }}'{% endtrans %}" + title="{% trans tag=tag|escape %}see questions tagged '{{ tag }}'{% endtrans %}" {% endif %} rel="tag" data-tag-name="{{ tag|replace('*', '✽')|escape }}" >{% if truncate_long_tag -%} - {{ tag|replace('*', '✽')|truncate(17, True) }} + {{ tag|replace('*', '✽')|truncate(17, True)|escape }} {%- else -%} - {{ tag|replace('*', '✽') }} + {{ tag|replace('*', '✽')|escape }} {%- endif %}</{% if not is_link or tag[-1] == '*' %}span{% else %}a{% endif %}> {% if deletable %} <div class="delete-icon" @@ -402,7 +402,7 @@ for the purposes of the AJAX comment editor #} </div> <div class="comment-body"> {{comment.html}} - <a class="author" href="{{comment.author.get_profile_url()}}">{{comment.author.username}}</a> + <a class="author" href="{{comment.author.get_profile_url()}}">{{comment.author.username|escape}}</a> <span class="age"> ({{ timeago(comment.added_at) }})</span> <a id="post-{{comment.id}}-edit" class="edit">{% trans %}edit{% endtrans %}</a> @@ -546,13 +546,13 @@ answer {% if answer.accepted() %}accepted-answer{% endif %} {% if answer.author_ {%- macro follow_user_toggle(visitor = None, subject = None) -%} {% if visitor.is_anonymous() %} - {{ follow_toggle(True, 'user', subject.username, subject.id) }} + {{ follow_toggle(True, 'user', subject.username|escape, subject.id) }} {% else %} {% if visitor != subject %} {% if visitor.is_following(subject) %} - {{ follow_toggle(False, 'user', subject.username, subject.id) }} + {{ follow_toggle(False, 'user', subject.username|escape, subject.id) }} {% else %} - {{ follow_toggle(True, 'user', subject.username, subject.id) }} + {{ follow_toggle(True, 'user', subject.username|escape, subject.id) }} {% endif %} {% endif %} {% endif %} @@ -572,7 +572,7 @@ answer {% if answer.accepted() %}accepted-answer{% endif %} {% if answer.author_ endtrans %}" title="{% trans country=user.country.name, - person=user.username %}{{person}} is from {{country}}{% + person=user.username|escape %}{{person}} is from {{country}}{% endtrans %}" /> {% endif %} @@ -607,8 +607,8 @@ answer {% if answer.accepted() %}accepted-answer{% endif %} {% if answer.author_ ><img class="gravatar" width="{{size}}" height="{{size}}" src="{{ user.get_avatar_url(size) }}" - title="{{user.username}}" - alt="{% trans username=user.username %}{{username}} gravatar image{% endtrans %}" + title="{{user.username|escape}}" + alt="{% trans username=user.username|escape %}{{username}} gravatar image{% endtrans %}" /></a> {% endspaceless %} {%- endmacro -%} @@ -708,7 +708,7 @@ answer {% if answer.accepted() %}accepted-answer{% endif %} {% if answer.author_ {% if user.new_response_count > 0 or user.seen_response_count > 0 %} <a id='ab-responses' href="{{user.get_absolute_url()}}?sort=inbox§ion=forum"> <img - alt="{% trans username=user.username %}responses for {{username}}{% endtrans %}" + alt="{% trans username=user.username|escape %}responses for {{username}}{% endtrans %}" {% if user.new_response_count > 0 %} src="{{ "/images/mail-envelope-full.png"|media }}" title="{% trans response_count=user.new_response_count %}you have {{response_count}} new response{% pluralize %}you have {{response_count}} new responses{% endtrans %}" diff --git a/askbot/skins/default/templates/reopen.html b/askbot/skins/default/templates/reopen.html index 894fa3a0..52d926ce 100644 --- a/askbot/skins/default/templates/reopen.html +++ b/askbot/skins/default/templates/reopen.html @@ -10,7 +10,7 @@ </a> </p> <p>{% trans %}This question has been closed by - <a href="{{closed_by_profile_url}}">{{closed_by_username}}</a> + <a href="{{closed_by_profile_url}}">{{closed_by_username|escape}}</a> {% endtrans %} </p> <p> diff --git a/askbot/skins/default/templates/user_profile/user.html b/askbot/skins/default/templates/user_profile/user.html index fb40b206..2f06a3c9 100644 --- a/askbot/skins/default/templates/user_profile/user.html +++ b/askbot/skins/default/templates/user_profile/user.html @@ -9,7 +9,7 @@ {% block content %} <h1 class="section-title"> {% spaceless %} - {% trans username=view_user.username %}{{username}}'s profile{% endtrans %} - {% block profilesection %}{% endblock %} + {% trans username=view_user.username|escape %}{{username}}'s profile{% endtrans %} - {% block profilesection %}{% endblock %} {% endspaceless %} </h1> {% include "user_profile/user_tabs.html" %} @@ -21,7 +21,7 @@ {% block endjs %} <script type="text/javascript"> var viewUserID = {{view_user.id}}; - askbot['data']['viewUserName'] = '{{ view_user.username }}'; + askbot['data']['viewUserName'] = '{{ view_user.username|escape }}'; askbot['data']['viewUserId'] = {{view_user.id}}; askbot['urls']['edit_group_membership'] = '{% url edit_group_membership %}'; askbot['urls']['get_groups_list'] = '{% url get_groups_list %}'; diff --git a/askbot/skins/default/templates/user_profile/user_edit.html b/askbot/skins/default/templates/user_profile/user_edit.html index 88a21e9f..c95bf815 100644 --- a/askbot/skins/default/templates/user_profile/user_edit.html +++ b/askbot/skins/default/templates/user_profile/user_edit.html @@ -4,7 +4,7 @@ {% block title %}{% spaceless %}{% trans %}Edit user profile{% endtrans %}{% endspaceless %}{% endblock %} {% block content %} <h1 class="section-title"> - {{ request.user.username }} - {% trans %}edit profile{% endtrans %} + {{ request.user.username|escape }} - {% trans %}edit profile{% endtrans %} </h1> <div id="main-body" style="width:100%;padding-top:10px"> <form name="" action="{% url edit_user request.user.id %}" method="post">{% csrf_token %} @@ -42,7 +42,7 @@ {{ form.username }} <span class="form-error"> {{ form.username.errors }} </span></td> {% else %} - {{ view_user.username }} + {{ view_user.username|escape }} {% endif %} </td> </tr> diff --git a/askbot/skins/default/templates/user_profile/user_moderate.html b/askbot/skins/default/templates/user_profile/user_moderate.html index 347ec3af..a7f05b1c 100644 --- a/askbot/skins/default/templates/user_profile/user_moderate.html +++ b/askbot/skins/default/templates/user_profile/user_moderate.html @@ -5,7 +5,7 @@ {% endblock %} {% block usercontent %} {% if request.user != view_user %} - <h3>{% trans username=view_user.username, status=view_user.get_status_display() %}{{username}}'s current status is "{{status}}"{% endtrans %} + <h3>{% trans username=view_user.username|escape, status=view_user.get_status_display() %}{{username}}'s current status is "{{status}}"{% endtrans %} </h3> {% if user_status_changed %} <p class="action-status"><span>{% trans %}User status changed{% endtrans %}</span></p> @@ -40,7 +40,7 @@ </form> {% if request.user != view_user %} <hr/> -<h3>{% trans username=view_user.username %}Send message to {{username}}{% endtrans %}</h3> +<h3>{% trans username=view_user.username|escape %}Send message to {{username}}{% endtrans %}</h3> <p>{% trans %}An email will be sent to the user with 'reply-to' field set to your email address. Please make sure that your address is entered correctly.{% endtrans %}</p> {% if message_sent %} <p class="action-status"><span>{% trans %}Message sent{% endtrans %}</span></p> diff --git a/askbot/skins/default/templates/user_profile/user_network.html b/askbot/skins/default/templates/user_profile/user_network.html index e6134e0c..f64d95b0 100644 --- a/askbot/skins/default/templates/user_profile/user_network.html +++ b/askbot/skins/default/templates/user_profile/user_network.html @@ -32,7 +32,7 @@ {% if request.user == view_user %} <p>{% trans %}Your network is empty. Would you like to follow someone? - Just visit their profiles and click "follow"{% endtrans %}</p> {% else %} - <p>{% trans username = view_user.username %}{{username}}'s network is empty{% endtrans %}</p> + <p>{% trans username = view_user.username|escape %}{{username}}'s network is empty{% endtrans %}</p> {% endif %} {% endif %} {% endblock %} diff --git a/askbot/skins/default/templates/user_profile/user_reputation.html b/askbot/skins/default/templates/user_profile/user_reputation.html index 1bb9b1ba..1cdf014a 100644 --- a/askbot/skins/default/templates/user_profile/user_reputation.html +++ b/askbot/skins/default/templates/user_profile/user_reputation.html @@ -11,7 +11,7 @@ {% if view_user.id == user.id %} <h2>{% trans %}Your karma change log.{% endtrans %}</h2> {% else %} - <h2>{% trans user_name=view_user.username %}{{user_name}}'s karma change log{% endtrans %}</h2> + <h2>{% trans user_name=view_user.username|escape %}{{user_name}}'s karma change log{% endtrans %}</h2> {% endif %} {% for rep in reputation %} <p> diff --git a/askbot/skins/default/templates/user_profile/user_stats.html b/askbot/skins/default/templates/user_profile/user_stats.html index 5e0e7426..2ccc277f 100644 --- a/askbot/skins/default/templates/user_profile/user_stats.html +++ b/askbot/skins/default/templates/user_profile/user_stats.html @@ -10,7 +10,7 @@ {% if settings.GROUPS_ENABLED %} <div id="user-groups"> <h2>{% trans - username = view_user.username + username = view_user.username|escape %}{{username}}'s groups{% endtrans %} </h2> <table id="groups-list"> @@ -146,7 +146,7 @@ <a title="{{ award.content_object.get_snippet()|collapse }}" href="{{ award.content_object.get_absolute_url() }}" - >{% if award.content_type.post_type == 'answer' %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.thread.title }}</a> + >{% if award.content_type.post_type == 'answer' %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.thread.title|escape }}</a> </li> {% endif %} {% endfor %} diff --git a/askbot/skins/default/templates/widgets/question_summary.html b/askbot/skins/default/templates/widgets/question_summary.html index c6e7bc5d..5fd51e08 100644 --- a/askbot/skins/default/templates/widgets/question_summary.html +++ b/askbot/skins/default/templates/widgets/question_summary.html @@ -46,7 +46,7 @@ {% if question.is_anonymous %} <span class="anonymous">{{ thread.last_activity_by.get_anonymous_name() }}</span> {% else %} - <a href="{% url user_profile thread.last_activity_by.id, thread.last_activity_by.username|slugify %}">{{thread.last_activity_by.username}}</a> {{ user_country_flag(thread.last_activity_by) }} + <a href="{% url user_profile thread.last_activity_by.id, thread.last_activity_by.username|slugify %}">{{thread.last_activity_by.username|escape}}</a> {{ user_country_flag(thread.last_activity_by) }} {#{user_score_and_badge_summary(thread.last_activity_by)}#} {% endif %} </div> diff --git a/askbot/skins/default/templates/widgets/user_list.html b/askbot/skins/default/templates/widgets/user_list.html index 11f2ed50..e51abc5b 100644 --- a/askbot/skins/default/templates/widgets/user_list.html +++ b/askbot/skins/default/templates/widgets/user_list.html @@ -7,7 +7,7 @@ <div class="user"> <ul> <li class="thumb">{{ gravatar(user, 32) }}</li> - <li><a href="{% url user_profile user.id, user.username|slugify %}{% if profile_section %}?sort={{profile_section}}{% endif %}">{{user.username}}</a>{{ user_country_flag(user) }}</li> + <li><a href="{% url user_profile user.id, user.username|slugify %}{% if profile_section %}?sort={{profile_section}}{% endif %}">{{user.username|escape}}</a>{{ user_country_flag(user) }}</li> <li>{{ user_score_and_badge_summary( user, diff --git a/askbot/skins/default/templates/widgets/user_navigation.html b/askbot/skins/default/templates/widgets/user_navigation.html index eec7e628..717cd7ee 100644 --- a/askbot/skins/default/templates/widgets/user_navigation.html +++ b/askbot/skins/default/templates/widgets/user_navigation.html @@ -1,5 +1,5 @@ {%- if request.user.is_authenticated() -%} - <a href="{{ request.user.get_absolute_url() }}">{{ request.user.username }}</a> + <a href="{{ request.user.get_absolute_url() }}">{{ request.user.username|escape }}</a> <span class="user-info"> {{ macros.inbox_link(request.user) }} {{ macros.moderation_items_link(request.user, moderation_items) }} diff --git a/askbot/utils/html.py b/askbot/utils/html.py index 1ce3ad35..2e3c1913 100644 --- a/askbot/utils/html.py +++ b/askbot/utils/html.py @@ -5,6 +5,7 @@ import re import htmlentitydefs from urlparse import urlparse from django.core.urlresolvers import reverse +from django.utils.html import escape class HTMLSanitizerMixin(sanitizer.HTMLSanitizerMixin): acceptable_elements = ('a', 'abbr', 'acronym', 'address', 'b', 'big', @@ -62,7 +63,7 @@ def site_link(url_name, title): from askbot.conf import settings base_url = urlparse(settings.APP_URL) url = base_url.scheme + '://' + base_url.netloc + reverse(url_name) - return '<a href="%s">%s</a>' % (url, title) + return '<a href="%s">%s</a>' % (url, escape(title)) def unescape(text): """source: http://effbot.org/zone/re-sub.htm#unescape-html diff --git a/askbot/views/readers.py b/askbot/views/readers.py index 2fb0e9f4..d7e5cecc 100644 --- a/askbot/views/readers.py +++ b/askbot/views/readers.py @@ -34,6 +34,7 @@ from askbot import schedules from askbot.models.tag import Tag from askbot import const from askbot.utils import functions +from askbot.utils.html import sanitize_html from askbot.utils.decorators import anonymous_forbidden, ajax_only, get_only from askbot.search.state_manager import SearchState, DummySearchState from askbot.templatetags import extra_tags @@ -562,10 +563,13 @@ def revisions(request, id, post_type = None): revisions.reverse() for i, revision in enumerate(revisions): if i == 0: - revision.diff = revisions[i].html + revision.diff = sanitize_html(revisions[i].html) revision.summary = _('initial version') else: - revision.diff = htmldiff(revisions[i-1].html, revision.html) + revision.diff = htmldiff( + sanitize_html(revisions[i-1].html), + sanitize_html(revision.html) + ) data = { 'page_class':'revisions-page', diff --git a/askbot/views/writers.py b/askbot/views/writers.py index 935b7cfa..232dbaea 100644 --- a/askbot/views/writers.py +++ b/askbot/views/writers.py @@ -17,7 +17,7 @@ from django.shortcuts import get_object_or_404 from django.contrib.auth.decorators import login_required from django.http import HttpResponseRedirect, HttpResponse, HttpResponseForbidden, Http404 from django.utils import simplejson -from django.utils.html import strip_tags +from django.utils.html import strip_tags, escape from django.utils.translation import ugettext as _ from django.core.urlresolvers import reverse from django.core import exceptions @@ -545,7 +545,7 @@ def __generate_comments_json(obj, user):#non-view generates json data for the po 'object_id': obj.id, 'comment_added_at': str(comment.added_at.replace(microsecond = 0)) + tz, 'html': comment.html, - 'user_display_name': comment_owner.username, + 'user_display_name': escape(comment_owner.username), 'user_url': comment_owner.get_profile_url(), 'user_id': comment_owner.id, 'is_deletable': is_deletable, |