diff --git a/Website/__init__.py b/Website/__init__.py index fce7d9f..daf6a1e 100644 --- a/Website/__init__.py +++ b/Website/__init__.py @@ -2,7 +2,6 @@ import queue, time, uuid, json, logging, datetime, os from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g from flask_socketio import SocketIO, join_room, leave_room from flask_session import Session -from markupsafe import escape from Website.db import get_db import Website.db as db from datetime import datetime @@ -64,7 +63,7 @@ def create_app(test_config=None): c = db.cursor() c.execute("SELECT * FROM users") users = c.fetchall() - return render_template("list.html", users=escape(users), preis=escape(preis/100)) + return render_template("list.html", user_name=users preis=(preis/100) @app.route("/transactionlist") def transactionlist(): @@ -124,7 +123,7 @@ def create_app(test_config=None): if user != None : c.execute(f"SELECT * FROM tags WHERE userid={user[0]}") tags = c.fetchall() - return render_template("user.html", user=escape(user), tags=escape(tags)) + return render_template("user.html", user=user, tags=tags) else: return render_template("error.html", error_code="043") @@ -144,7 +143,7 @@ def create_app(test_config=None): user_name = user[1] db.remove_user(user_id) socketio.emit("update", "update") - return render_template("removeuser.html", user_name=escape(user_name)) + return render_template("removeuser.html", user_name=user_name) else: return render_template("error.html", error_code="043") @@ -235,7 +234,7 @@ def create_app(test_config=None): session_id = uuid.uuid4() session[id] = session_id user_queue.put([user_id, "remove", session_id]) - return render_template("removetag.html", user=escape(user_id)) + return render_template("removetag.html", user=user_id) else: db = get_db() c = db.cursor() diff --git a/Website/db.py b/Website/db.py index f586494..2cc908d 100644 --- a/Website/db.py +++ b/Website/db.py @@ -1,4 +1,5 @@ from re import M +from markupsafe import escape import sqlite3 from datetime import datetime import click @@ -13,44 +14,44 @@ def log(statement, user_id, before, after, change): def add_user(after): db = get_db() c = db.cursor() - c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) + c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [escape(after)]) user_id = c.lastrowid - log("add_user", user_id=user_id, after=after) + log("add_user", user_id=escape(user_id), after=escape(after)) db.commit() def remove_user(user_id): db = get_db() c = db.cursor() - c.execute("SELECT * FROM users WHERE id = ?", [user_id]) + c.execute("SELECT * FROM users WHERE id = ?", [escape(user_id)]) user_name = c.fetchone()[1] - c.execute("SELECT * FROM tags WHERE userid = ?", [user_id]) + c.execute("SELECT * FROM tags WHERE userid = ?", [escape(user_id)]) for tag in c.fetchall(): remove_tag(tag[0]) - c.execute("DELETE FROM users WHERE id = ?", [user_id]) - log("remove_user", user_id=user_id, before=user_name) + c.execute("DELETE FROM users WHERE id = ?", [escape(user_id)]) + log("remove_user", user_id=escape(user_id), before=escape(user_name)) db.commit() def add_tag(user_id, tag_id): db = get_db() c = db.cursor() - c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id]) + c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [escape(tag_id), escape(user_id)]) db.commit() - log("addtag", after=tag_id, user_id=user_id) + log("addtag", after=escape(tag_id), user_id=escape(user_id)) def remove_tag(tag_id): db = get_db() c = db.cursor() - c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id]) + c.execute("SELECT * FROM tags WHERE tagid = ?", [escape(tag_id)]) user_id = c.fetchone()[1] - c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id]) - log("removetag", before=tag_id, user_id=user_id) + c.execute("DELETE FROM tags WHERE tagid = ?", [escape(tag_id)]) + log("removetag", before=escape(tag_id), user_id=escape(user_id)) db.commit() def change_balance(user_id, change): db = get_db() c = db.cursor() - c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) - log("balance", user_id=user_id, change=change) + c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [escape(change), escape(user_id)]) + log("balance", user_id=escape(user_id), change=escape(change)) db.commit() def get_db():