From 3127e2de1f21dec0bf08013193380274adbf345f Mon Sep 17 00:00:00 2001
From: bton <anton@postmitdermaus.de>
Date: Wed, 6 Mar 2024 21:31:00 +0100
Subject: [PATCH] added escape

---
 Website/__init__.py |  1 -
 Website/db.py       | 27 ++++++++++++++-------------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/Website/__init__.py b/Website/__init__.py
index 059668a..daf6a1e 100644
--- a/Website/__init__.py
+++ b/Website/__init__.py
@@ -2,7 +2,6 @@ import queue, time, uuid, json, logging, datetime, os
 from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g 
 from flask_socketio import SocketIO, join_room, leave_room 
 from flask_session import Session
-from markupsafe import escape
 from Website.db import get_db
 import Website.db as db
 from datetime import datetime
diff --git a/Website/db.py b/Website/db.py
index f586494..2cc908d 100644
--- a/Website/db.py
+++ b/Website/db.py
@@ -1,4 +1,5 @@
 from re import M
+from markupsafe import escape
 import sqlite3
 from datetime import datetime
 import click
@@ -13,44 +14,44 @@ def log(statement, user_id, before, after, change):
 def add_user(after):
     db = get_db()
     c = db.cursor()
-    c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after])
+    c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [escape(after)])
     user_id = c.lastrowid
-    log("add_user", user_id=user_id, after=after)
+    log("add_user", user_id=escape(user_id), after=escape(after))
     db.commit()
 
 def remove_user(user_id):
     db = get_db()
     c = db.cursor()
-    c.execute("SELECT * FROM users WHERE id = ?", [user_id])
+    c.execute("SELECT * FROM users WHERE id = ?", [escape(user_id)])
     user_name = c.fetchone()[1]
-    c.execute("SELECT * FROM tags WHERE userid = ?", [user_id])
+    c.execute("SELECT * FROM tags WHERE userid = ?", [escape(user_id)])
     for tag in c.fetchall():
         remove_tag(tag[0])
-    c.execute("DELETE FROM users WHERE id = ?", [user_id])
-    log("remove_user", user_id=user_id, before=user_name)
+    c.execute("DELETE FROM users WHERE id = ?", [escape(user_id)])
+    log("remove_user", user_id=escape(user_id), before=escape(user_name))
     db.commit()
 
 def add_tag(user_id, tag_id):
     db = get_db()
     c = db.cursor()
-    c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id])
+    c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [escape(tag_id), escape(user_id)])
     db.commit()
-    log("addtag", after=tag_id, user_id=user_id)
+    log("addtag", after=escape(tag_id), user_id=escape(user_id))
 
 def remove_tag(tag_id):
     db = get_db()
     c = db.cursor()
-    c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id])
+    c.execute("SELECT * FROM tags WHERE tagid = ?", [escape(tag_id)])
     user_id = c.fetchone()[1]
-    c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id])
-    log("removetag", before=tag_id, user_id=user_id)
+    c.execute("DELETE FROM tags WHERE tagid = ?", [escape(tag_id)])
+    log("removetag", before=escape(tag_id), user_id=escape(user_id))
     db.commit()
 
 def change_balance(user_id, change):
     db = get_db()
     c = db.cursor()
-    c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id])
-    log("balance", user_id=user_id, change=change)
+    c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [escape(change), escape(user_id)])
+    log("balance", user_id=escape(user_id), change=escape(change))
     db.commit()
 
 def get_db():