forked from mrlan/EnglishPal
Fix: no-random secret key generation and XSS vulnerability
parent
708a6a2821
commit
f01c334827
|
@ -56,6 +56,7 @@ def article():
|
|||
|
||||
_articles = get_page_articles(_cur_page, _page_size)
|
||||
for article in _articles: # 获取每篇文章的title
|
||||
article = escape(article)
|
||||
article.title = article.text.split("\n")[0]
|
||||
article.content = '<br/>'.join(article.text.split("\n")[1:])
|
||||
|
||||
|
|
13
app/main.py
13
app/main.py
|
@ -12,8 +12,10 @@ import Yaml
|
|||
from user_service import userService
|
||||
from account_service import accountService
|
||||
from admin_service import adminService, ADMIN_NAME
|
||||
import os
|
||||
|
||||
app = Flask(__name__)
|
||||
app.secret_key = 'lunch.time!'
|
||||
app.secret_key = os.urandom(32)
|
||||
|
||||
# 将蓝图注册到Lab app
|
||||
app.register_blueprint(userService)
|
||||
|
@ -54,6 +56,15 @@ def appears_in_test(word, d):
|
|||
else:
|
||||
return ','.join(d[word])
|
||||
|
||||
@app.before_request
|
||||
def restrict_file_access():
|
||||
'''
|
||||
禁止直接访问/static下的数据库文件
|
||||
'''
|
||||
requested_path = request.path
|
||||
normalized_path = os.path.normpath(requested_path)
|
||||
if normalized_path.startswith('/static/') and normalized_path.endswith('wordfreqapp.db'):
|
||||
return abort(403)
|
||||
|
||||
@app.route("/mark", methods=['GET', 'POST'])
|
||||
def mark_word():
|
||||
|
|
Loading…
Reference in New Issue