From c6cce54d5f2496b686a7102306c9e8c08859a078 Mon Sep 17 00:00:00 2001
From: John Thiltges <jthiltges2@unl.edu>
Date: Thu, 3 Jan 2019 13:12:53 -0600
Subject: [PATCH] Escape form values with markupsafe

- Use markupsafe to format escaped HTML fragments
- Correct the formatting problems introduced with the XSS fixes
---
 resources/templates/form.tmpl | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/resources/templates/form.tmpl b/resources/templates/form.tmpl
index c984641..243b173 100644
--- a/resources/templates/form.tmpl
+++ b/resources/templates/form.tmpl
@@ -1,5 +1,6 @@
 ## -*- coding: utf-8 -*-
 <% 
+from markupsafe import Markup
 len_attr = len(attributes)
 switch = len_attr / 2
 if not switch * 2 == len_attr:
@@ -31,32 +32,32 @@ for a in sorted(attributes.keys(), key=lambda attr: attributes[attr]['weight']):
             raw_value = values[a]
         if raw_value is None:
            raw_value = ''
-        value = ' value="'+ raw_value + '"'
-        value2 = '<option>'+ raw_value +'</option>'
+        value = Markup(' value="{}"').format(raw_value)
+        value2 = Markup('<option>{}</option>').format(raw_value)
     else:
         raw_value = ''
         value = ''
         value2 = ''
     if 'default' in attr and value == '':
-        value = ' value="'+ attr['default'] + '"'
+        value = Markup(' value="{}"').format(attr['default'])
   %>
 
   <span class="input-group-addon" id="basic-addon-${a}">${attr['display_name']}</span>
     % if modify and a == keyattr:
-  <input type="hidden" id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' aria-describedby="basic-addon-${a}" ${required} ${value} readonly  onfocus="this.removeAttribute('readonly');">
+  <input type="hidden" id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' aria-describedby="basic-addon-${a}" ${required} ${value | n} readonly  onfocus="this.removeAttribute('readonly');">
   <span class="form-control" aria-describedby="basic-addon-${a}">${raw_value}</span>
     % elif attr['type'] == 'string':
-  <input type="text"   id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' placeholder="${attr['description']}" aria-describedby="basic-addon-${a}" ${required} ${value} readonly  onfocus="this.removeAttribute('readonly');">
+  <input type="text"   id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' placeholder="${attr['description']}" aria-describedby="basic-addon-${a}" ${required} ${value | n} readonly  onfocus="this.removeAttribute('readonly');">
     % elif attr['type'] == 'email':
-  <input type="email"  id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' placeholder="${attr['description']}" aria-describedby="basic-addon-${a}" ${required} ${value} data-error="email address is invalid" readonly  onfocus="this.removeAttribute('readonly');">
+  <input type="email"  id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' placeholder="${attr['description']}" aria-describedby="basic-addon-${a}" ${required} ${value | n} data-error="email address is invalid" readonly  onfocus="this.removeAttribute('readonly');">
     % elif attr['type'] == 'int':
-  <input type="number" id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' placeholder="${attr['description']}" aria-describedby="basic-addon-${a}" ${required} ${value} readonly  onfocus="this.removeAttribute('readonly');">
+  <input type="number" id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' placeholder="${attr['description']}" aria-describedby="basic-addon-${a}" ${required} ${value | n} readonly  onfocus="this.removeAttribute('readonly');">
     % elif attr['type'] == 'fix':
   <input type="hidden" id="attr.${a}" name="attr.${a}" class="form-control" autocomplete='off' aria-describedby="basic-addon-${a}" ${required} value="${attr['value']}" readonly  onfocus="this.removeAttribute('readonly');">
   <span class="form-control" placeholder="${attr['description']}" aria-describedby="basic-addon-${a}">${attr['value']}</span>
     % elif attr['type'] == 'stringlist':
   <select class="form-control" id="attr.${a}" name="attr.${a}">
-        ${value2}
+        ${value2 | n}
         %for val in attr['values']:
         %if '<option>' + val + '</option>' != value2:
         <option>${val}</option>