Fix: no-random secret key generation and XSS vulnerability

app/admin_service.py

@@ -56,6 +56,7 @@ def article():
     
     _articles = get_page_articles(_cur_page, _page_size)
     for article in _articles:   # 获取每篇文章的title
+        article = escape(article)
         article.title = article.text.split("\n")[0]
         article.content = '<br/>'.join(article.text.split("\n")[1:])
     

app/main.py

@@ -12,8 +12,10 @@ import Yaml
 from user_service import userService
 from account_service import accountService
 from admin_service import adminService, ADMIN_NAME
+import os
+
 app = Flask(__name__)
-app.secret_key = 'lunch.time!'
+app.secret_key = os.urandom(32)
 
 # 将蓝图注册到Lab app
 app.register_blueprint(userService)
@@ -54,6 +56,15 @@ def appears_in_test(word, d):
     else:
         return ','.join(d[word])
 
+@app.before_request
+def restrict_file_access():
+    '''
+    禁止直接访问/static下的数据库文件
+    '''
+    requested_path = request.path
+    normalized_path = os.path.normpath(requested_path)
+    if normalized_path.startswith('/static/') and normalized_path.endswith('wordfreqapp.db'):
+        return abort(403)
 
 @app.route("/mark", methods=['GET', 'POST'])
 def mark_word():