1
0
Fork 0
forked from bton/matekasse

AHHH escape

This commit is contained in:
bton 2024-03-06 20:41:45 +01:00
parent ce009a278b
commit f691e7534d
2 changed files with 12 additions and 12 deletions

View file

@ -3,8 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_
from flask_socketio import SocketIO, join_room, leave_room from flask_socketio import SocketIO, join_room, leave_room
from flask_session import Session from flask_session import Session
from markupsafe import escape from markupsafe import escape
from .db import get_db from Website.db import get_db
import .db as db import Website.db as db
from datetime import datetime from datetime import datetime
finished = None finished = None
preis = 150 #Ein Getraenk preis = 150 #Ein Getraenk
@ -55,7 +55,7 @@ def create_app(test_config=None):
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM users") c.execute("SELECT * FROM users")
users = c.fetchall() users = c.fetchall()
return render_template("list.html", users=users, preis=preis/100) return render_template("list.html", users=escape(users), preis=escape(preis/100))
@app.route("/transactionlist") @app.route("/transactionlist")
def transactionlist(): def transactionlist():
@ -115,7 +115,7 @@ def create_app(test_config=None):
if user != None : if user != None :
c.execute(f"SELECT * FROM tags WHERE userid={user[0]}") c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
tags = c.fetchall() tags = c.fetchall()
return render_template("user.html", user=user, tags=tags) return render_template("user.html", user=escape(user), tags=escape(tags))
else: else:
return render_template("error.html", error_code="043") return render_template("error.html", error_code="043")
@ -135,7 +135,7 @@ def create_app(test_config=None):
user_name = user[1] user_name = user[1]
db.remove_user(user_id) db.remove_user(user_id)
socketio.emit("update", "update") socketio.emit("update", "update")
return render_template("removeuser.html", user_name=user_name) return render_template("removeuser.html", user_name=escape(user_name))
else: else:
return render_template("error.html", error_code="043") return render_template("error.html", error_code="043")
@ -185,7 +185,7 @@ def create_app(test_config=None):
session_id = uuid.uuid4() session_id = uuid.uuid4()
session[id] = session_id session[id] = session_id
user_queue.put([user_id, "add", session_id]) user_queue.put([user_id, "add", session_id])
return render_template("addtag.html", user=user_id) return render_template("addtag.html", user=escape(user_id))
@socketio.on('addtag') @socketio.on('addtag')
def request_addtag(data): def request_addtag(data):
@ -226,7 +226,7 @@ def create_app(test_config=None):
session_id = uuid.uuid4() session_id = uuid.uuid4()
session[id] = session_id session[id] = session_id
user_queue.put([user_id, "remove", session_id]) user_queue.put([user_id, "remove", session_id])
return render_template("removetag.html", user=user_id) return render_template("removetag.html", user=escape(user_id))
else: else:
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()

View file

@ -23,14 +23,14 @@ def test_index(client):
#/adduser #/adduser
def test_adduser(client): def test_adduser(client):
response = client.get('/adduser/user') response = client.post('/adduser/user', data={})
assert "418" in response.data.decode('utf-8') assert "418" in response.data.decode('utf-8')
def test_adduser_new(app, client): def test_adduser_new(app, client):
with app.app_context(): with app.app_context():
db = get_db() db = get_db()
assert db is get_db() assert db is get_db()
response = client.get('/adduser/user?username=test') response = client.post('/adduser/user', data={user_name:"test"})
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM users WHERE username = ?", ["test"]) c.execute("SELECT * FROM users WHERE username = ?", ["test"])
data = c.fetchone() data = c.fetchone()
@ -40,7 +40,7 @@ def test_adduser_new(app, client):
assert data[2] == 0 assert data[2] == 0
def test_adduser_allreadyexists(client): def test_adduser_allreadyexists(client):
response = client.get('/adduser/user?username=test') response = client.post('/adduser/user', data={username:"test"})
assert "Error: 757" in response.data.decode('utf-8') assert "Error: 757" in response.data.decode('utf-8')
#/addtag #/addtag
@ -49,7 +49,7 @@ def test_addtag(client):
assert response.data.decode('utf-8') == "Error: 095" assert response.data.decode('utf-8') == "Error: 095"
def test_addtag_userid_nan(client): def test_addtag_userid_nan(client):
response = client.get('/addtag?id=test') response = client.post('/addtag', data={id:1})
assert response.data.decode('utf-8') == "Error: 095" assert response.data.decode('utf-8') == "Error: 095"
def test_add_tag_direktli(app): def test_add_tag_direktli(app):
@ -166,4 +166,4 @@ def test_sqlinjektion_adduser(app, client):
assert data[1] == i assert data[1] == i
assert data[2] == 0 assert data[2] == 0
assert "tag was sucsesfully added" in response.data.decode('utf-8') assert "tag was sucsesfully added" in response.data.decode('utf-8')
count += 1 count += 1