Merge pull request 'Hui-EscapeUserInput' (#53) from Hui-EscapeUserInput into master

Reviewed-on: http://121.4.94.30:3000/mrlan/EnglishPal/pulls/53
2022-07-29 16:20:01 +08:00 · 2022-07-29 16:20:01 +08:00 · 7663dfb8f4
parent 2c1bc98833 0098fa8746
commit 7663dfb8f4
3 changed files with 5 additions and 4 deletions
--- a/app/main.py
+++ b/app/main.py
@ -6,6 +6,7 @@
 # Written permission must be obtained from the author for commercial uses.
 ###########################################################################
 from flask import escape
 from Login import *
 from Article import *
 import Yaml
@ -81,7 +82,7 @@ def mainpage():
    :return: 主界面
    '''
    if request.method == 'POST':  # when we submit a form
-        content = request.form['content']
+        content = escape(request.form['content'])
        f = WordFreq(content)
        lst = f.get_freq()
        # save history
--- a/app/templates/userpage_post.html
+++ b/app/templates/userpage_post.html
@ -30,7 +30,7 @@
            :
            <a href='http://youdao.com/w/eng/{{word}}/#keyfrom=dict2.index' title={{word}}>{{word}}</a>
            ({{x[1]}})
-            <input type="checkbox" name="marked" value={{word}}>
+            <input type="checkbox" name="marked" value="{{word}}">
        </p>
       {% endfor %}
--- a/app/user_service.py
+++ b/app/user_service.py
@ -115,7 +115,7 @@ def userpage(username):
    user_freq_record = path_prefix + 'static/frequency/' + 'frequency_%s.pickle' % (username)
    if request.method == 'POST':  # when we submit a form
-        content = request.form['content']
+        content = escape(request.form['content'])
        f = WordFreq(content)
        lst = f.get_freq()
        return render_template('userpage_post.html',username=username,lst = lst, yml=Yaml.yml)