Roguelike Gallery miscellaneous files: web/archive.cgi comparison

comparison web/archive.cgi @ 49:6138c27d1950

Escape the player's name when printing it into HTML. Non-alphanumeric characters in names may eventually be possible.

author	John "Elwin" Edwards
date	Mon, 24 Mar 2014 16:01:28 -0700
parents	86b616d88020
children

comparison

equal deleted inserted replaced

-:955c2fd68dcf
+:6138c27d1950
 import sys
 import time
 import calendar
 from datetime import datetime
 import pytz
+import html
 import rlgall
 #import cgitb
 #cgitb.enable()
 return
 def input_name(outf, defaultval=None):
 defstr = '<div>Adventurer\'s name: <input type="text" name="name" value="{0}"></div>\n'
 if defaultval:
-outf.write(defstr.format(defaultval))
+outf.write(defstr.format(html.escape(defaultval)))
 else:
 outf.write('<div>Adventurer\'s Name: <input type="text" name="name"></div>\n')
 return
 def input_time(outf, defaultval=None):
 # digging all over the filesystem.
 formname = fdata.getfirst("name").rpartition("/")[2]
 try:
 os.stat(ttyrecbase + formname)
 except OSError:
-errlist.append(cantfind.format(cgi.escape(formname)))
+errlist.append(cantfind.format(html.escape(formname)))
 return None
 return formname
 def processgame(fdata, errlist):
 "Takes a CGI data object and returns the game from rlgall.gamelist that \
 return None
 formgame = fdata.getfirst("game")
 for agame in rlgall.gamelist:
 if agame.uname == formgame:
 return agame
-errlist.append(cantfind.format(cgi.escape(formgame)))
+errlist.append(cantfind.format(html.escape(formgame)))
 return None
 def processtime(fdata, errlist, hlist):
 "Takes a CGI data object and converts to a datetime object by finding \
 fields called year, month, etc.  Any errors get appended to errlist.  \
 formtime = fdata.getfirst("time")
 if formtime:
 try:
 utime = int(formtime)
 except ValueError:
-errlist.append(badtime.format(cgi.escape(formtime)))
+errlist.append(badtime.format(html.escape(formtime)))
 return None
 else:
 if utime < 0:
 utime = 0
 if utime != None:
 else:
 hlist[5] = second
 if lerrors:
 errlist.extend(lerrors)
 return None
-#return calendar.timegm([year, month, day, hour, minute, second, 0, 0, 0])
 return datetime(year, month, day, hour, minute, second, 0, pytz.utc)
 # Begin processing
 fdata = cgi.FieldStorage()
 searchtime.strftime("%Y/%m/%d %H:%M:%S")))
 if not gamefiles:
 sys.stdout.write("<p>No record found.</p>\n")
 elif len(gamefiles) == 1:
 sys.stdout.write('<p><a href="/ttyrecs/{0}/{1}/{2}">1 ttyrec found.</a>\
-</p>\n'.format(formname, dungeon.uname, gamefiles[0]))
+</p>\n'.format(html.escape(formname), dungeon.uname, gamefiles[0]))
 else:
 sys.stdout.write('<p>{0}-part ttyrec found.</p>\n'.format(len(gamefiles)))
 sys.stdout.write('<ul>\n')
 for i, afile in enumerate(gamefiles):
 sys.stdout.write('<li><a href="/ttyrecs/{0}/{1}/{2}">Section {3}</a>\
-</li>\n'.format(formname, dungeon.uname, afile, i + 1))
+</li>\n'.format(html.escape(formname), dungeon.uname, afile, i + 1))
 sys.stdout.write('</ul>\n')
 if isnotsearch:
 sys.stdout.write(infop)
 else:
 # There was information, but not good enough, i.e. errors.

Mercurial > hg > rlgallery-misc

comparison web/archive.cgi @ 49:6138c27d1950