1
0
Fork 0
forked from bton/matekasse

AHHH escape

This commit is contained in:
bton 2024-03-06 20:41:45 +01:00
parent ce009a278b
commit f691e7534d
2 changed files with 12 additions and 12 deletions

View file

@ -3,8 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_
from flask_socketio import SocketIO, join_room, leave_room
from flask_session import Session
from markupsafe import escape
from .db import get_db
import .db as db
from Website.db import get_db
import Website.db as db
from datetime import datetime
finished = None
preis = 150 #Ein Getraenk
@ -55,7 +55,7 @@ def create_app(test_config=None):
c = db.cursor()
c.execute("SELECT * FROM users")
users = c.fetchall()
return render_template("list.html", users=users, preis=preis/100)
return render_template("list.html", users=escape(users), preis=escape(preis/100))
@app.route("/transactionlist")
def transactionlist():
@ -115,7 +115,7 @@ def create_app(test_config=None):
if user != None :
c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
tags = c.fetchall()
return render_template("user.html", user=user, tags=tags)
return render_template("user.html", user=escape(user), tags=escape(tags))
else:
return render_template("error.html", error_code="043")
@ -135,7 +135,7 @@ def create_app(test_config=None):
user_name = user[1]
db.remove_user(user_id)
socketio.emit("update", "update")
return render_template("removeuser.html", user_name=user_name)
return render_template("removeuser.html", user_name=escape(user_name))
else:
return render_template("error.html", error_code="043")
@ -185,7 +185,7 @@ def create_app(test_config=None):
session_id = uuid.uuid4()
session[id] = session_id
user_queue.put([user_id, "add", session_id])
return render_template("addtag.html", user=user_id)
return render_template("addtag.html", user=escape(user_id))
@socketio.on('addtag')
def request_addtag(data):
@ -226,7 +226,7 @@ def create_app(test_config=None):
session_id = uuid.uuid4()
session[id] = session_id
user_queue.put([user_id, "remove", session_id])
return render_template("removetag.html", user=user_id)
return render_template("removetag.html", user=escape(user_id))
else:
db = get_db()
c = db.cursor()

View file

@ -23,14 +23,14 @@ def test_index(client):
#/adduser
def test_adduser(client):
response = client.get('/adduser/user')
response = client.post('/adduser/user', data={})
assert "418" in response.data.decode('utf-8')
def test_adduser_new(app, client):
with app.app_context():
db = get_db()
assert db is get_db()
response = client.get('/adduser/user?username=test')
response = client.post('/adduser/user', data={user_name:"test"})
c = db.cursor()
c.execute("SELECT * FROM users WHERE username = ?", ["test"])
data = c.fetchone()
@ -40,7 +40,7 @@ def test_adduser_new(app, client):
assert data[2] == 0
def test_adduser_allreadyexists(client):
response = client.get('/adduser/user?username=test')
response = client.post('/adduser/user', data={username:"test"})
assert "Error: 757" in response.data.decode('utf-8')
#/addtag
@ -49,7 +49,7 @@ def test_addtag(client):
assert response.data.decode('utf-8') == "Error: 095"
def test_addtag_userid_nan(client):
response = client.get('/addtag?id=test')
response = client.post('/addtag', data={id:1})
assert response.data.decode('utf-8') == "Error: 095"
def test_add_tag_direktli(app):