Escape user input first

2022-07-29 15:22:42 +08:00 · 2022-07-29 15:22:42 +08:00 · 828cef406c
parent 2c1bc98833
commit 828cef406c
2 changed files with 3 additions and 2 deletions
--- a/app/main.py
+++ b/app/main.py
@ -6,6 +6,7 @@
 # Written permission must be obtained from the author for commercial uses.
 ###########################################################################

+from flask import escape
 from Login import *
 from Article import *
 import Yaml
@ -81,7 +82,7 @@ def mainpage():
    :return: 主界面
    '''
    if request.method == 'POST':  # when we submit a form
-        content = request.form['content']
+        content = escape(request.form['content'])
        f = WordFreq(content)
        lst = f.get_freq()
        # save history
--- a/app/user_service.py
+++ b/app/user_service.py
@ -115,7 +115,7 @@ def userpage(username):
    user_freq_record = path_prefix + 'static/frequency/' + 'frequency_%s.pickle' % (username)

    if request.method == 'POST':  # when we submit a form
-        content = request.form['content']
+        content = escape(request.form['content'])
        f = WordFreq(content)
        lst = f.get_freq()
        return render_template('userpage_post.html',username=username,lst = lst, yml=Yaml.yml)