From 5c3ebcfa29c45ebf67b5a205db002de0729cc9fa Mon Sep 17 00:00:00 2001
From: 2000-Trek <anton@postmitdermaus.de>
Date: Wed, 21 Jun 2023 22:30:35 +0200
Subject: [PATCH] fixed splite injektion

---
 main.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/main.py b/main.py
index e84489d..d9676bb 100644
--- a/main.py
+++ b/main.py
@@ -9,6 +9,7 @@ import sys
 import uuid
 import json
 import urllib.parse
+from markupsafe import escape
 
 db_path = 'mate.db'
 conn = sqlite3.connect(db_path, check_same_thread=False)
@@ -35,7 +36,7 @@ def exit_handler():
 #website
 @app.route("/")
 def index():
-    return '<a href="/list">user and tag list</a> <p>The creator of this website accepts no liability for any linguistic or technical errors!</p><br style="line-height: 500%;"></br><a href="/documentation">Doumentation</a>'
+    return '<a href="/list">user anfrom markupsafe import escaped tag list</a> <p>The creator of this website accepts no liability for any linguistic or technical errors!</p><br style="line-height: 500%;"></br><a href="/documentation">Doumentation</a>'
 
 @app.route("/list")
 def list():
@@ -44,7 +45,7 @@ def list():
     text = ""
     for i in users:
         username = urllib.parse.quote_plus(i[1])
-        text = text + f'<p><a href="list/user?user={username}">{username}</a>: {i[2]} <form action="/change" method="get"><input name="id" type="hidden" value="{i[0]}"> Change balance: <input name="change"><input type="submit"></form></p> <br style="line-height: 50%;"></br>'
+        text = text + f'<p><a href="list/user?user={username}">{escape(i[1])}</a>: {i[2]} <form action="/change" method="get"><input name="id" type="hidden" value="{i[0]}"> Change balance: <input name="change"><input type="submit"></form></p> <br style="line-height: 50%;"></br>'
     return '''<!DOCTYPE html>
         <html lang="en">
         <script src="https://cdnjs.cloudflare.com/ajax/libs/socket.io/4.0.1/socket.io.js" integrity="sha512-q/dWJ3kcmjBLU4Qc47E4A9kTB4m3wuTY7vkFJDTZKjTs8jhyGQnaUrxa0Ytd0ssMZhbNua9hE+E7Qv1j+DyZwA==" crossorigin="anonymous"></script>
@@ -78,7 +79,7 @@ def user_info():
             var socket = io();
         """ + 'socket.on("update", function(){ window.location="http://matekasse.server.c3h/list/user?user=' + username + '"});' + f"""
             </script>
-            <p> {user[1]} : {user[2]} <p>
+            <p> {escape(user[1])} : {user[2]} <p>
             <form action="/addtag" method="get"><input name="id" type="hidden" value="{user[0]}"><button type="submit">Add Tag</button></form>
             <form action="/removetag" method="get"><input name="id" type="hidden" value="{user[0]}"><button type="submit">Remove Tag</button></form>
             </p><form action="/change" method="get"><input name="id" type="hidden" value="{user[0]}"> Change balance: <input name="change"><input type="submit"></form>