Compare commits

...

2 commits

Author SHA1 Message Date
3127e2de1f added escape 2024-03-06 21:31:00 +01:00
c86b91a246 removed escape 2024-03-06 21:27:12 +01:00
2 changed files with 18 additions and 18 deletions

View file

@ -2,7 +2,6 @@ import queue, time, uuid, json, logging, datetime, os
from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g
from flask_socketio import SocketIO, join_room, leave_room from flask_socketio import SocketIO, join_room, leave_room
from flask_session import Session from flask_session import Session
from markupsafe import escape
from Website.db import get_db from Website.db import get_db
import Website.db as db import Website.db as db
from datetime import datetime from datetime import datetime
@ -64,7 +63,7 @@ def create_app(test_config=None):
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM users") c.execute("SELECT * FROM users")
users = c.fetchall() users = c.fetchall()
return render_template("list.html", users=escape(users), preis=escape(preis/100)) return render_template("list.html", user_name=users preis=(preis/100)
@app.route("/transactionlist") @app.route("/transactionlist")
def transactionlist(): def transactionlist():
@ -124,7 +123,7 @@ def create_app(test_config=None):
if user != None : if user != None :
c.execute(f"SELECT * FROM tags WHERE userid={user[0]}") c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
tags = c.fetchall() tags = c.fetchall()
return render_template("user.html", user=escape(user), tags=escape(tags)) return render_template("user.html", user=user, tags=tags)
else: else:
return render_template("error.html", error_code="043") return render_template("error.html", error_code="043")
@ -144,7 +143,7 @@ def create_app(test_config=None):
user_name = user[1] user_name = user[1]
db.remove_user(user_id) db.remove_user(user_id)
socketio.emit("update", "update") socketio.emit("update", "update")
return render_template("removeuser.html", user_name=escape(user_name)) return render_template("removeuser.html", user_name=user_name)
else: else:
return render_template("error.html", error_code="043") return render_template("error.html", error_code="043")
@ -235,7 +234,7 @@ def create_app(test_config=None):
session_id = uuid.uuid4() session_id = uuid.uuid4()
session[id] = session_id session[id] = session_id
user_queue.put([user_id, "remove", session_id]) user_queue.put([user_id, "remove", session_id])
return render_template("removetag.html", user=escape(user_id)) return render_template("removetag.html", user=user_id)
else: else:
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()

View file

@ -1,4 +1,5 @@
from re import M from re import M
from markupsafe import escape
import sqlite3 import sqlite3
from datetime import datetime from datetime import datetime
import click import click
@ -13,44 +14,44 @@ def log(statement, user_id, before, after, change):
def add_user(after): def add_user(after):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [escape(after)])
user_id = c.lastrowid user_id = c.lastrowid
log("add_user", user_id=user_id, after=after) log("add_user", user_id=escape(user_id), after=escape(after))
db.commit() db.commit()
def remove_user(user_id): def remove_user(user_id):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM users WHERE id = ?", [user_id]) c.execute("SELECT * FROM users WHERE id = ?", [escape(user_id)])
user_name = c.fetchone()[1] user_name = c.fetchone()[1]
c.execute("SELECT * FROM tags WHERE userid = ?", [user_id]) c.execute("SELECT * FROM tags WHERE userid = ?", [escape(user_id)])
for tag in c.fetchall(): for tag in c.fetchall():
remove_tag(tag[0]) remove_tag(tag[0])
c.execute("DELETE FROM users WHERE id = ?", [user_id]) c.execute("DELETE FROM users WHERE id = ?", [escape(user_id)])
log("remove_user", user_id=user_id, before=user_name) log("remove_user", user_id=escape(user_id), before=escape(user_name))
db.commit() db.commit()
def add_tag(user_id, tag_id): def add_tag(user_id, tag_id):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id]) c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [escape(tag_id), escape(user_id)])
db.commit() db.commit()
log("addtag", after=tag_id, user_id=user_id) log("addtag", after=escape(tag_id), user_id=escape(user_id))
def remove_tag(tag_id): def remove_tag(tag_id):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id]) c.execute("SELECT * FROM tags WHERE tagid = ?", [escape(tag_id)])
user_id = c.fetchone()[1] user_id = c.fetchone()[1]
c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id]) c.execute("DELETE FROM tags WHERE tagid = ?", [escape(tag_id)])
log("removetag", before=tag_id, user_id=user_id) log("removetag", before=escape(tag_id), user_id=escape(user_id))
db.commit() db.commit()
def change_balance(user_id, change): def change_balance(user_id, change):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [escape(change), escape(user_id)])
log("balance", user_id=user_id, change=change) log("balance", user_id=escape(user_id), change=escape(change))
db.commit() db.commit()
def get_db(): def get_db():