Browse Source

sanitized css files using bleach

current_wdka_release
crunk 3 years ago
parent
commit
d5369bc142
  1. 2
      requirements.txt
  2. 3
      setup.py
  3. 3
      src/.gitignore
  4. 16
      verse/editor.py
  5. 2
      verse/forms/editorform.py
  6. 1
      verse/upload.py

2
requirements.txt

@ -5,7 +5,6 @@ black==21.11b1
blinker==1.4 blinker==1.4
cffi==1.15.0 cffi==1.15.0
click==8.0.3 click==8.0.3
-e git+https://git.vvvvvvaria.org/crunk/distribusi-verse.git@1a50898d216ae95c3eb9c144bb7ec678e638daa6#egg=distribusi
dnspython==2.1.0 dnspython==2.1.0
email-validator==1.1.3 email-validator==1.1.3
Flask==2.0.2 Flask==2.0.2
@ -40,3 +39,4 @@ tomli==1.2.2
typing-extensions==4.0.1 typing-extensions==4.0.1
Werkzeug==2.0.2 Werkzeug==2.0.2
WTForms==3.0.0 WTForms==3.0.0
-e git+https://git.vvvvvvaria.org/crunk/distribusi-verse.git@1a50898d216ae95c3eb9c144bb7ec678e638daa6#egg=distribusi

3
setup.py

@ -0,0 +1,3 @@
from setuptools import setup, find_packages
setup(name='library', version='1.0', packages=find_packages())

3
src/.gitignore

@ -0,0 +1,3 @@
*
*/
!.gitignore

16
verse/editor.py

@ -1,5 +1,7 @@
import os import os
from flask import render_template from flask import render_template
import bleach
from werkzeug.utils import secure_filename
from sqlalchemy.exc import ( from sqlalchemy.exc import (
DataError, DataError,
DatabaseError, DatabaseError,
@ -54,16 +56,22 @@ def SaveUploadCssFile(editorform, newcssfolder):
if not os.path.exists(newcssfolder): if not os.path.exists(newcssfolder):
os.mkdir(newcssfolder) os.mkdir(newcssfolder)
cssfile = editorform.cssfile.data cssfile = editorform.cssfile.data
cssfile.save(os.path.join(newcssfolder, editorform.cssname.data)) cssfilename = f"{secure_filename(editorform.cssname.data)}.css"
cssfile.save(os.path.join(newcssfolder, cssfilename))
openfile = open(os.path.join(newcssfolder, cssfilename), 'r+')
cleancss = bleach.clean(openfile.read())
openfile.write(cleancss)
openfile.close
def WriteCssToFile(editorform, newcssfolder): def WriteCssToFile(editorform, newcssfolder):
if not os.path.exists(newcssfolder): if not os.path.exists(newcssfolder):
os.mkdir(newcssfolder) os.mkdir(newcssfolder)
cssfilename = "{}.css".format(editorform.cssname.data) cssfilename = f"{secure_filename(editorform.cssname.data)}.css"
cleancss = bleach.clean(editorform.css.data)
with open(os.path.join(newcssfolder, cssfilename), "w") as cssfile: with open(os.path.join(newcssfolder, cssfilename), "w") as cssfile:
cssfile.write(editorform.css.data) cssfile.write(cleancss)
cssfile.close cssfile.close
@ -72,7 +80,7 @@ def MakePublicTheme(editorform, current_distribusi):
distribusi = Distribusis.query.filter_by( distribusi = Distribusis.query.filter_by(
distribusiname=current_distribusi distribusiname=current_distribusi
).first() ).first()
distribusi.publictheme = editorform.cssname.data distribusi.publictheme = secure_filename(editorform.cssname.data)
db.session.commit() db.session.commit()
except InvalidRequestError: except InvalidRequestError:

2
verse/forms/editorform.py

@ -25,7 +25,7 @@ class EditorForm(FlaskForm):
FileAllowed(["css"], "css files only!"), FileAllowed(["css"], "css files only!"),
FileSize( FileSize(
max_size=10485760, max_size=10485760,
message="Zipfile size must be smaller than 100MB", message="css file size must be smaller than 10MB",
), ),
], ],
) )

1
verse/upload.py

@ -73,6 +73,7 @@ def UploadUpdatedFiles(uploadfolder):
distribusi.course = uploadform.course.data distribusi.course = uploadform.course.data
distribusi.year = uploadform.academicyear.data distribusi.year = uploadform.academicyear.data
distribusi.tags = uploadform.tags.data distribusi.tags = uploadform.tags.data
distribusi.visible = False
db.session.commit() db.session.commit()
except (InvalidRequestError, DataError, InterfaceError, DatabaseError): except (InvalidRequestError, DataError, InterfaceError, DatabaseError):
db.session.rollback() db.session.rollback()

Loading…
Cancel
Save