Changeset 447 for trunk/packages/sipb-xen-www/code/main.py

Timestamp:

Apr 22, 2008, 1:37:50 AM (16 years ago)

Author:

ecprice

Message:

Avoid html injection.

Cheetah is painful.

File:

• trunk/packages/sipb-xen-www/code/main.py (modified) (2 diffs)

trunk/packages/sipb-xen-www/code/main.py

@@ -12 +12 @@
 import sys
 import time
+import urllib
 from StringIO import StringIO
 
@@ -59 +60 @@
 checkpoint = Checkpoint()
 
+def jquote(string):
+    return "'" + string.replace('\\', '\\\\').replace("'", "\\'").replace('\n', '\\n') + "'"
 
 def helppopup(subj):
     """Return HTML code for a (?) link to a specified help topic"""
-    return ('<span class="helplink"><a href="help?subject=' + subj +
-            '&amp;simple=true" target="_blank" ' +
-            'onclick="return helppopup(\'' + subj + '\')">(?)</a></span>')
+    return ('<span class="helplink"><a href="help?' +
+            cgi.escape(urllib.urlencode(dict(subject=subj, simple='true')))
+            +'" target="_blank" ' +
+            'onclick="return helppopup(' + cgi.escape(jquote(subj)) + ')">(?)</a></span>')
 
 def makeErrorPre(old, addition):