Mercurial > hg > rlgallery-misc
diff web/archive.cgi @ 49:6138c27d1950
Escape the player's name when printing it into HTML.
Non-alphanumeric characters in names may eventually be possible.
| author | John "Elwin" Edwards |
|---|---|
| date | Mon, 24 Mar 2014 16:01:28 -0700 |
| parents | 86b616d88020 |
| children |
line wrap: on
line diff
--- a/web/archive.cgi Mon Mar 24 09:43:28 2014 -0700 +++ b/web/archive.cgi Mon Mar 24 16:01:28 2014 -0700 @@ -7,6 +7,7 @@ import calendar from datetime import datetime import pytz +import html import rlgall #import cgitb @@ -36,7 +37,7 @@ def input_name(outf, defaultval=None): defstr = '<div>Adventurer\'s name: <input type="text" name="name" value="{0}"></div>\n' if defaultval: - outf.write(defstr.format(defaultval)) + outf.write(defstr.format(html.escape(defaultval))) else: outf.write('<div>Adventurer\'s Name: <input type="text" name="name"></div>\n') return @@ -124,7 +125,7 @@ try: os.stat(ttyrecbase + formname) except OSError: - errlist.append(cantfind.format(cgi.escape(formname))) + errlist.append(cantfind.format(html.escape(formname))) return None return formname @@ -139,7 +140,7 @@ for agame in rlgall.gamelist: if agame.uname == formgame: return agame - errlist.append(cantfind.format(cgi.escape(formgame))) + errlist.append(cantfind.format(html.escape(formgame))) return None def processtime(fdata, errlist, hlist): @@ -156,7 +157,7 @@ try: utime = int(formtime) except ValueError: - errlist.append(badtime.format(cgi.escape(formtime))) + errlist.append(badtime.format(html.escape(formtime))) return None else: if utime < 0: @@ -261,7 +262,6 @@ if lerrors: errlist.extend(lerrors) return None - #return calendar.timegm([year, month, day, hour, minute, second, 0, 0, 0]) return datetime(year, month, day, hour, minute, second, 0, pytz.utc) # Begin processing @@ -324,13 +324,13 @@ sys.stdout.write("<p>No record found.</p>\n") elif len(gamefiles) == 1: sys.stdout.write('<p><a href="/ttyrecs/{0}/{1}/{2}">1 ttyrec found.</a>\ - </p>\n'.format(formname, dungeon.uname, gamefiles[0])) + </p>\n'.format(html.escape(formname), dungeon.uname, gamefiles[0])) else: sys.stdout.write('<p>{0}-part ttyrec found.</p>\n'.format(len(gamefiles))) sys.stdout.write('<ul>\n') for i, afile in enumerate(gamefiles): sys.stdout.write('<li><a href="/ttyrecs/{0}/{1}/{2}">Section {3}</a>\ - </li>\n'.format(formname, dungeon.uname, afile, i + 1)) + </li>\n'.format(html.escape(formname), dungeon.uname, afile, i + 1)) sys.stdout.write('</ul>\n') if isnotsearch: sys.stdout.write(infop)