From 828cef406ccc4996925359650312d3dc41625100 Mon Sep 17 00:00:00 2001
From: Lan Hui <1348141770@qq.com>
Date: Fri, 29 Jul 2022 15:22:42 +0800
Subject: [PATCH] Escape user input first

---
 app/main.py         | 3 ++-
 app/user_service.py | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/main.py b/app/main.py
index d903bf4..e311bb0 100644
--- a/app/main.py
+++ b/app/main.py
@@ -6,6 +6,7 @@
 # Written permission must be obtained from the author for commercial uses.
 ###########################################################################
 
+from flask import escape
 from Login import *
 from Article import *
 import Yaml
@@ -81,7 +82,7 @@ def mainpage():
     :return: 主界面
     '''
     if request.method == 'POST':  # when we submit a form
-        content = request.form['content']
+        content = escape(request.form['content'])
         f = WordFreq(content)
         lst = f.get_freq()
         # save history
diff --git a/app/user_service.py b/app/user_service.py
index 5148a60..79c7888 100644
--- a/app/user_service.py
+++ b/app/user_service.py
@@ -115,7 +115,7 @@ def userpage(username):
     user_freq_record = path_prefix + 'static/frequency/' + 'frequency_%s.pickle' % (username)
 
     if request.method == 'POST':  # when we submit a form
-        content = request.form['content']
+        content = escape(request.form['content'])
         f = WordFreq(content)
         lst = f.get_freq()
         return render_template('userpage_post.html',username=username,lst = lst, yml=Yaml.yml)