Mercurial > hg > rlgallery-misc

diff py/rlgall.py @ 49:6138c27d1950

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Escape the player's name when printing it into HTML. Non-alphanumeric characters in names may eventually be possible.
author John "Elwin" Edwards
date Mon, 24 Mar 2014 16:01:28 -0700
parents 0f4163dbbafc
children 4549b3c0cd28
line wrap: on
line diff
--- a/py/rlgall.py	Mon Mar 24 09:43:28 2014 -0700
+++ b/py/rlgall.py	Mon Mar 24 16:01:28 2014 -0700
@@ -7,6 +7,7 @@
 import psycopg2
 from datetime import datetime
 import pytz
+import html
 
 # Configuration
 logdir = "/var/dgl/var/games/roguelike/"
@@ -74,14 +75,10 @@
   except ValueError:
     return None
 
-def ttyreclink(text, name, game, gtime):
-  "Returns a link to the ttyrec archivist"
-  lstr = '<a href="/archive.cgi?name={0};game={1};time={2}">{3}</a>'
-  return lstr.format(name, game, gtime, text)
-
 def playerlink(name):
   "Returns a link to a player's page"
-  lstr = '<a href="/scoring/players/' + name + '.html">' + name + '</a>'
+  escname = html.escape(name)
+  lstr = '<a href="/scoring/players/' + escname + '.html">' + escname + '</a>'
   return lstr
 
 def linktoArchive(entry):
@@ -89,7 +86,8 @@
   lstr = '<a href="/archive.cgi?name={0};game={1};time={2}">{3}</a>'
   linktext = entry["endt"].strftime("%Y/%m/%d %H:%M:%S")
   stamp = int(entry["endt"].timestamp())
-  return lstr.format(entry["name"], entry["game"].uname, stamp, linktext)
+  escname = html.escape(entry["name"])
+  return lstr.format(escname, entry["game"].uname, stamp, linktext)
 
 def maketablerow(cells, isheader=None):
   "Takes a list of strings and returns a HTML table row with each string \
@@ -525,16 +523,17 @@
   "Generate a player's HTML page"
   # Write the beginning of the page
   ppagefi = open(ppagename.format(pname), "w", encoding="utf-8")
-  ppagefi.write(phead.format(pname))
+  cleanpname = html.escape(pname)
+  ppagefi.write(phead.format(cleanpname))
   ppagefi.write(ptop)
-  ppagefi.write(navplayer.format(pname))
-  ppagefi.write(pti.format("Results for " + pname))
+  ppagefi.write(navplayer.format(cleanpname))
+  ppagefi.write(pti.format("Results for " + cleanpname))
   for game in gamelist:
     ppagefi.write(secthead.format(game.name))
     entries = game.getPlayer(pname)
     if not entries:
-      ppagefi.write("<div>" + pname + " has not yet completed an expedition\
-        in this dungeon.</div>\n")
+      ppagefi.write("<div>" + cleanpname + " has not yet completed an " +
+                    "expedition in this dungeon.</div>\n")
     else:
       entries.sort(key=lambda e: e["endt"])
       printTable(entries, game.pfields, ppagefi)