diff options
| author | Jeff Hemphill <jthemphill@gmail.com> | 2013-10-16 20:55:41 -0700 |
|---|---|---|
| committer | Jeff Hemphill <jthemphill@gmail.com> | 2013-10-16 20:55:41 -0700 |
| commit | 592ec0178d25767859523c1ac221c6f3cb303875 (patch) | |
| tree | cef2dd60ec9bcc4e03d76362b0b69d18e3606f60 /docs/tutorials/wiki2/src/views | |
| parent | 1034327081839902e691236f60b2a85f74bbc4e3 (diff) | |
| download | pyramid-592ec0178d25767859523c1ac221c6f3cb303875.tar.gz pyramid-592ec0178d25767859523c1ac221c6f3cb303875.tar.bz2 pyramid-592ec0178d25767859523c1ac221c6f3cb303875.zip | |
Add HTML escaping to views.py
At least it's less obviously dangerous this way.
Diffstat (limited to 'docs/tutorials/wiki2/src/views')
| -rw-r--r-- | docs/tutorials/wiki2/src/views/tutorial/views.py | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/docs/tutorials/wiki2/src/views/tutorial/views.py b/docs/tutorials/wiki2/src/views/tutorial/views.py index 5a9c75a61..d54b2a7aa 100644 --- a/docs/tutorials/wiki2/src/views/tutorial/views.py +++ b/docs/tutorials/wiki2/src/views/tutorial/views.py @@ -1,3 +1,4 @@ +import cgi import re from docutils.core import publish_parts @@ -32,10 +33,10 @@ def view_page(request): exists = DBSession.query(Page).filter_by(name=word).all() if exists: view_url = request.route_url('view_page', pagename=word) - return '<a href="%s">%s</a>' % (view_url, word) + return '<a href="%s">%s</a>' % (view_url, cgi.escape(word)) else: add_url = request.route_url('add_page', pagename=word) - return '<a href="%s">%s</a>' % (add_url, word) + return '<a href="%s">%s</a>' % (add_url, cgi.escape(word)) content = publish_parts(page.data, writer_name='html')['html_body'] content = wikiwords.sub(check, content) |