AHHH escape

2024-03-06 20:41:45 +01:00 · 2024-03-06 20:41:45 +01:00 · f691e7534d
commit f691e7534d
parent ce009a278b
2 changed files with 12 additions and 12 deletions
--- a/Website/init.py
+++ b/Website/init.py
@ -3,8 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_
 from flask_socketio import SocketIO, join_room, leave_room 
 from flask_session import Session
 from markupsafe import escape
-from .db import get_db
-import .db as db
+from Website.db import get_db
+import Website.db as db
 from datetime import datetime
 finished = None
 preis = 150 #Ein Getraenk
@ -55,7 +55,7 @@ def create_app(test_config=None):
        c = db.cursor()
        c.execute("SELECT * FROM users")   
        users = c.fetchall()
-        return render_template("list.html", users=users, preis=preis/100)
+        return render_template("list.html", users=escape(users), preis=escape(preis/100))

    @app.route("/transactionlist")
    def transactionlist():
@ -115,7 +115,7 @@ def create_app(test_config=None):
        if user != None :
            c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
            tags = c.fetchall()
-            return render_template("user.html",  user=user, tags=tags)
+            return render_template("user.html",  user=escape(user), tags=escape(tags))
            
        else:
            return render_template("error.html", error_code="043")
@ -135,7 +135,7 @@ def create_app(test_config=None):
            user_name = user[1]
            db.remove_user(user_id)
            socketio.emit("update", "update")
-            return render_template("removeuser.html", user_name=user_name)
+            return render_template("removeuser.html", user_name=escape(user_name))
        else:
            return render_template("error.html", error_code="043")

@ -185,7 +185,7 @@ def create_app(test_config=None):
        session_id = uuid.uuid4()
        session[id] = session_id
        user_queue.put([user_id, "add", session_id])
-        return render_template("addtag.html", user=user_id)
+        return render_template("addtag.html", user=escape(user_id))
    
    @socketio.on('addtag')
    def request_addtag(data):
@ -226,7 +226,7 @@ def create_app(test_config=None):
            session_id = uuid.uuid4()
            session[id] = session_id
            user_queue.put([user_id, "remove", session_id])
-            return render_template("removetag.html", user=user_id)
+            return render_template("removetag.html", user=escape(user_id))
        else:
            db = get_db()
            c = db.cursor()