From 828cef406ccc4996925359650312d3dc41625100 Mon Sep 17 00:00:00 2001
From: Lan Hui <1348141770@qq.com>
Date: Fri, 29 Jul 2022 15:22:42 +0800
Subject: [PATCH 1/2] Escape user input first
---
app/main.py | 3 ++-
app/user_service.py | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/app/main.py b/app/main.py
index d903bf4..e311bb0 100644
--- a/app/main.py
+++ b/app/main.py
@@ -6,6 +6,7 @@
# Written permission must be obtained from the author for commercial uses.
###########################################################################
+from flask import escape
from Login import *
from Article import *
import Yaml
@@ -81,7 +82,7 @@ def mainpage():
:return: 主界面
'''
if request.method == 'POST': # when we submit a form
- content = request.form['content']
+ content = escape(request.form['content'])
f = WordFreq(content)
lst = f.get_freq()
# save history
diff --git a/app/user_service.py b/app/user_service.py
index 5148a60..79c7888 100644
--- a/app/user_service.py
+++ b/app/user_service.py
@@ -115,7 +115,7 @@ def userpage(username):
user_freq_record = path_prefix + 'static/frequency/' + 'frequency_%s.pickle' % (username)
if request.method == 'POST': # when we submit a form
- content = request.form['content']
+ content = escape(request.form['content'])
f = WordFreq(content)
lst = f.get_freq()
return render_template('userpage_post.html',username=username,lst = lst, yml=Yaml.yml)
From 0098fa87469f918f2c4a84f5ef49031e8e63c4f0 Mon Sep 17 00:00:00 2001
From: Lan Hui <1348141770@qq.com>
Date: Fri, 29 Jul 2022 15:26:19 +0800
Subject: [PATCH 2/2] Prevent attribute injection
---
app/templates/userpage_post.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/app/templates/userpage_post.html b/app/templates/userpage_post.html
index ba3b38d..725ee09 100644
--- a/app/templates/userpage_post.html
+++ b/app/templates/userpage_post.html
@@ -30,7 +30,7 @@
:
{{word}}
({{x[1]}})
-
+
{% endfor %}
@@ -42,4 +42,4 @@
{% endfor %}
{% endif %}
-