forked from bton/matekasse
AHHH escape
This commit is contained in:
parent
ce009a278b
commit
f691e7534d
2 changed files with 12 additions and 12 deletions
|
@ -3,8 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_
|
|||
from flask_socketio import SocketIO, join_room, leave_room
|
||||
from flask_session import Session
|
||||
from markupsafe import escape
|
||||
from .db import get_db
|
||||
import .db as db
|
||||
from Website.db import get_db
|
||||
import Website.db as db
|
||||
from datetime import datetime
|
||||
finished = None
|
||||
preis = 150 #Ein Getraenk
|
||||
|
@ -55,7 +55,7 @@ def create_app(test_config=None):
|
|||
c = db.cursor()
|
||||
c.execute("SELECT * FROM users")
|
||||
users = c.fetchall()
|
||||
return render_template("list.html", users=users, preis=preis/100)
|
||||
return render_template("list.html", users=escape(users), preis=escape(preis/100))
|
||||
|
||||
@app.route("/transactionlist")
|
||||
def transactionlist():
|
||||
|
@ -115,7 +115,7 @@ def create_app(test_config=None):
|
|||
if user != None :
|
||||
c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
|
||||
tags = c.fetchall()
|
||||
return render_template("user.html", user=user, tags=tags)
|
||||
return render_template("user.html", user=escape(user), tags=escape(tags))
|
||||
|
||||
else:
|
||||
return render_template("error.html", error_code="043")
|
||||
|
@ -135,7 +135,7 @@ def create_app(test_config=None):
|
|||
user_name = user[1]
|
||||
db.remove_user(user_id)
|
||||
socketio.emit("update", "update")
|
||||
return render_template("removeuser.html", user_name=user_name)
|
||||
return render_template("removeuser.html", user_name=escape(user_name))
|
||||
else:
|
||||
return render_template("error.html", error_code="043")
|
||||
|
||||
|
@ -185,7 +185,7 @@ def create_app(test_config=None):
|
|||
session_id = uuid.uuid4()
|
||||
session[id] = session_id
|
||||
user_queue.put([user_id, "add", session_id])
|
||||
return render_template("addtag.html", user=user_id)
|
||||
return render_template("addtag.html", user=escape(user_id))
|
||||
|
||||
@socketio.on('addtag')
|
||||
def request_addtag(data):
|
||||
|
@ -226,7 +226,7 @@ def create_app(test_config=None):
|
|||
session_id = uuid.uuid4()
|
||||
session[id] = session_id
|
||||
user_queue.put([user_id, "remove", session_id])
|
||||
return render_template("removetag.html", user=user_id)
|
||||
return render_template("removetag.html", user=escape(user_id))
|
||||
else:
|
||||
db = get_db()
|
||||
c = db.cursor()
|
||||
|
|
|
@ -23,14 +23,14 @@ def test_index(client):
|
|||
|
||||
#/adduser
|
||||
def test_adduser(client):
|
||||
response = client.get('/adduser/user')
|
||||
response = client.post('/adduser/user', data={})
|
||||
assert "418" in response.data.decode('utf-8')
|
||||
|
||||
def test_adduser_new(app, client):
|
||||
with app.app_context():
|
||||
db = get_db()
|
||||
assert db is get_db()
|
||||
response = client.get('/adduser/user?username=test')
|
||||
response = client.post('/adduser/user', data={user_name:"test"})
|
||||
c = db.cursor()
|
||||
c.execute("SELECT * FROM users WHERE username = ?", ["test"])
|
||||
data = c.fetchone()
|
||||
|
@ -40,7 +40,7 @@ def test_adduser_new(app, client):
|
|||
assert data[2] == 0
|
||||
|
||||
def test_adduser_allreadyexists(client):
|
||||
response = client.get('/adduser/user?username=test')
|
||||
response = client.post('/adduser/user', data={username:"test"})
|
||||
assert "Error: 757" in response.data.decode('utf-8')
|
||||
|
||||
#/addtag
|
||||
|
@ -49,7 +49,7 @@ def test_addtag(client):
|
|||
assert response.data.decode('utf-8') == "Error: 095"
|
||||
|
||||
def test_addtag_userid_nan(client):
|
||||
response = client.get('/addtag?id=test')
|
||||
response = client.post('/addtag', data={id:1})
|
||||
assert response.data.decode('utf-8') == "Error: 095"
|
||||
|
||||
def test_add_tag_direktli(app):
|
||||
|
@ -166,4 +166,4 @@ def test_sqlinjektion_adduser(app, client):
|
|||
assert data[1] == i
|
||||
assert data[2] == 0
|
||||
assert "tag was sucsesfully added" in response.data.decode('utf-8')
|
||||
count += 1
|
||||
count += 1
|
||||
|
|
Loading…
Add table
Reference in a new issue