security-and-privacy/ldapcherry
security-and-privacy/ldapcherry
1
0
Fork 0
mirror of https://github.com/kakwa/ldapcherry synced 2024-11-22 01:14:21 +01:00
Code Releases Activity

remove the double escaping.

Browse Source 
Now the escaping is done by in the templates.
We need to remove the previous escaping done by hand in the code.
Otherwise, we end-up with double escaping and funky displaying of
fields.
This commit is contained in:
kakwa 2019-02-12 21:18:45 +01:00
parent 0cf5483785
commit bbafafae60
1 changed files with 6 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
ldapcherry/__init__.py
View File

@ -34,10 +34,8 @@ from mako import exceptions
if sys.version < '3': if sys.version < '3':
from sets import Set as set from sets import Set as set
from urllib import quote_plus from urllib import quote_plus
from cgi import escape as html_escape
else: else:
from urllib.parse import quote_plus from urllib.parse import quote_plus
from html import escape as html_escape
SESSION_KEY = '_cp_username' SESSION_KEY = '_cp_username'
@ -62,36 +60,6 @@ class LdapCherry(object):
traceback=True traceback=True
) )
def _escape_list(self, data):
ret = []
for i in data:
ret.append(html_escape(i, True))
return ret
def _escape_dict(self, data):
for d in data:
if isinstance(data[d], list):
data[d] = self._escape_list(data[d])
elif isinstance(data[d], dict):
data[d] = self._escape_dict(data[d])
elif isinstance(data[d], set):
data[d] = set(self._escape_list(data[d]))
else:
data[d] = html_escape(data[d], True)
return data
def _escape(self, data, dtype):
if data is None:
return None
elif dtype == 'search_list':
for d in data:
data[d] = self._escape_dict(data[d])
elif dtype == 'attr_list':
data = self._escape_dict(data)
elif dtype == 'lonely_groups':
data = self._escape_dict(data)
return data
def _get_param(self, section, key, config, default=None): def _get_param(self, section, key, config, default=None):
""" Get configuration parameter "key" from config """ Get configuration parameter "key" from config
@str section: the section of the config file @str section: the section of the config file
@ -995,7 +963,7 @@ class LdapCherry(object):
return self.temp['index.tmpl'].render( return self.temp['index.tmpl'].render(
is_admin=is_admin, is_admin=is_admin,
attrs_list=attrs_list, attrs_list=attrs_list,
searchresult=self._escape(user_attrs, 'attr_list'), searchresult=user_attrs,
notifications=self._empty_notification(), notifications=self._empty_notification(),
) )
@ -1011,7 +979,7 @@ class LdapCherry(object):
res = None res = None
attrs_list = self.attributes.get_search_attributes() attrs_list = self.attributes.get_search_attributes()
return self.temp['searchuser.tmpl'].render( return self.temp['searchuser.tmpl'].render(
searchresult=self._escape(res, 'search_list'), searchresult=res,
attrs_list=attrs_list, attrs_list=attrs_list,
is_admin=is_admin, is_admin=is_admin,
custom_js=self.custom_js, custom_js=self.custom_js,
@ -1048,7 +1016,7 @@ class LdapCherry(object):
res = None res = None
attrs_list = self.attributes.get_search_attributes() attrs_list = self.attributes.get_search_attributes()
return self.temp['searchadmin.tmpl'].render( return self.temp['searchadmin.tmpl'].render(
searchresult=self._escape(res, 'search_list'), searchresult=res,
attrs_list=attrs_list, attrs_list=attrs_list,
is_admin=is_admin, is_admin=is_admin,
custom_js=self.custom_js, custom_js=self.custom_js,
@ -1169,7 +1137,7 @@ class LdapCherry(object):
try: try:
form = self.temp['form.tmpl'].render( form = self.temp['form.tmpl'].render(
attributes=self.attributes.attributes, attributes=self.attributes.attributes,
values=self._escape(user_attrs, 'attr_list'), values=user_attrs,
modify=True, modify=True,
keyattr=key, keyattr=key,
autofill=False autofill=False
@ -1187,10 +1155,7 @@ class LdapCherry(object):
form=form, form=form,
roles=roles, roles=roles,
is_admin=is_admin, is_admin=is_admin,
standalone_groups=self._escape( standalone_groups=standalone_groups,
standalone_groups,
'lonely_groups'
),
backends_display_names=self.backends_display_names, backends_display_names=self.backends_display_names,
custom_js=self.custom_js, custom_js=self.custom_js,
notifications=self._empty_notification(), notifications=self._empty_notification(),
@ -1245,7 +1210,7 @@ class LdapCherry(object):
form = self.temp['form.tmpl'].render( form = self.temp['form.tmpl'].render(
attributes=self.attributes.get_selfattributes(), attributes=self.attributes.get_selfattributes(),
values=self._escape(user_attrs, 'attr_list'), values=user_attrs,
modify=True, modify=True,
autofill=False autofill=False
) )