Skip to content

Commit

Permalink
add html.escape() to content-negotiated HTML responses
Browse files Browse the repository at this point in the history
since error responses and namespace listings can be formulated
into HTML, we should be applying HTML escaping to the raw
hatrac object URL paths which we embed in the responses.
  • Loading branch information
karlcz committed Sep 19, 2023
1 parent 6161994 commit a745873
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 4 deletions.
8 changes: 6 additions & 2 deletions hatrac/model/directory/pgsql.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
import sys
import json
import urllib
import html
import binascii
import base64
import random
Expand Down Expand Up @@ -134,8 +135,11 @@ def negotiated_uri_list(parent, resources, metadata={}):
body = '\n'.join(uris) + '\n'
elif metadata['content-type'] == 'text/html':
body = "<!DOCTYPE html>\n<html>\n <h1>Index of {parent}</h1>\n{children}\n</html>".format(
parent=parent.asurl(),
children='<br/>\n'.join([' <a href="%s">%s</a>' % (uri, os.path.basename(uri)) for uri in uris])
parent=html.escape(parent.asurl()),
children='<br/>\n'.join([
' <a href="%s">%s</a>' % (html.escape(uri), html.escape(os.path.basename(uri)))
for uri in uris
])
)
else:
body = jsonWriter(uris) + b'\n'
Expand Down
8 changes: 6 additions & 2 deletions hatrac/rest/core.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
from datetime import timezone
import struct
import urllib
import html
import sys
import traceback
import hashlib
Expand Down Expand Up @@ -146,12 +147,15 @@ def get_description(self, environ=None, scope=None):
def get_body(self, environ=None, scope=None):
template = self.response_templates[self.content_type]
description = self.get_description()
return (template + '\n') % {
"code": self.code,
parts = {
"code": str(self.code),
"description": description,
"message": description, # for existing hatrac_config template feature
"title": self.title, # for our new generic templates
}
if self.content_type == 'text/html':
parts = { k: html.escape(v) for k, v in parts.items() }
return (template + '\n') % parts

def get_headers(self, environ=None, scope=None):
return self.headers
Expand Down

0 comments on commit a745873

Please sign in to comment.