diff web/scoring/players/index.cgi @ 49:6138c27d1950

Escape the player's name when printing it into HTML. Non-alphanumeric characters in names may eventually be possible.
author John "Elwin" Edwards
date Mon, 24 Mar 2014 16:01:28 -0700
parents 25843238434a
children
line wrap: on
line diff
--- a/web/scoring/players/index.cgi	Mon Mar 24 09:43:28 2014 -0700
+++ b/web/scoring/players/index.cgi	Mon Mar 24 16:01:28 2014 -0700
@@ -2,6 +2,7 @@
 
 import os
 import sys
+import html
 import rlgall
 
 playerdir = "/var/www/lighttpd/scoring/players/"
@@ -26,7 +27,7 @@
 else:
   sys.stdout.write("<ul>\n")
   for name in namelist:
-    sys.stdout.write(linkstr.format(name))
+    sys.stdout.write(linkstr.format(html.escape(name)))
   sys.stdout.write("</ul>\n")
 
 sys.stdout.write(rlgall.pend)