changeset 49:6138c27d1950

Escape the player's name when printing it into HTML. Non-alphanumeric characters in names may eventually be possible.
author John "Elwin" Edwards
date Mon, 24 Mar 2014 16:01:28 -0700
parents 955c2fd68dcf
children 4549b3c0cd28
files py/rlgall.py web/archive.cgi web/scoring/players/index.cgi
diffstat 3 files changed, 20 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/py/rlgall.py	Mon Mar 24 09:43:28 2014 -0700
+++ b/py/rlgall.py	Mon Mar 24 16:01:28 2014 -0700
@@ -7,6 +7,7 @@
 import psycopg2
 from datetime import datetime
 import pytz
+import html
 
 # Configuration
 logdir = "/var/dgl/var/games/roguelike/"
@@ -74,14 +75,10 @@
   except ValueError:
     return None
 
-def ttyreclink(text, name, game, gtime):
-  "Returns a link to the ttyrec archivist"
-  lstr = '<a href="/archive.cgi?name={0};game={1};time={2}">{3}</a>'
-  return lstr.format(name, game, gtime, text)
-
 def playerlink(name):
   "Returns a link to a player's page"
-  lstr = '<a href="/scoring/players/' + name + '.html">' + name + '</a>'
+  escname = html.escape(name)
+  lstr = '<a href="/scoring/players/' + escname + '.html">' + escname + '</a>'
   return lstr
 
 def linktoArchive(entry):
@@ -89,7 +86,8 @@
   lstr = '<a href="/archive.cgi?name={0};game={1};time={2}">{3}</a>'
   linktext = entry["endt"].strftime("%Y/%m/%d %H:%M:%S")
   stamp = int(entry["endt"].timestamp())
-  return lstr.format(entry["name"], entry["game"].uname, stamp, linktext)
+  escname = html.escape(entry["name"])
+  return lstr.format(escname, entry["game"].uname, stamp, linktext)
 
 def maketablerow(cells, isheader=None):
   "Takes a list of strings and returns a HTML table row with each string \
@@ -525,16 +523,17 @@
   "Generate a player's HTML page"
   # Write the beginning of the page
   ppagefi = open(ppagename.format(pname), "w", encoding="utf-8")
-  ppagefi.write(phead.format(pname))
+  cleanpname = html.escape(pname)
+  ppagefi.write(phead.format(cleanpname))
   ppagefi.write(ptop)
-  ppagefi.write(navplayer.format(pname))
-  ppagefi.write(pti.format("Results for " + pname))
+  ppagefi.write(navplayer.format(cleanpname))
+  ppagefi.write(pti.format("Results for " + cleanpname))
   for game in gamelist:
     ppagefi.write(secthead.format(game.name))
     entries = game.getPlayer(pname)
     if not entries:
-      ppagefi.write("<div>" + pname + " has not yet completed an expedition\
-        in this dungeon.</div>\n")
+      ppagefi.write("<div>" + cleanpname + " has not yet completed an " +
+                    "expedition in this dungeon.</div>\n")
     else:
       entries.sort(key=lambda e: e["endt"])
       printTable(entries, game.pfields, ppagefi)
--- a/web/archive.cgi	Mon Mar 24 09:43:28 2014 -0700
+++ b/web/archive.cgi	Mon Mar 24 16:01:28 2014 -0700
@@ -7,6 +7,7 @@
 import calendar
 from datetime import datetime
 import pytz
+import html
 import rlgall
 #import cgitb
 
@@ -36,7 +37,7 @@
 def input_name(outf, defaultval=None):
   defstr = '<div>Adventurer\'s name: <input type="text" name="name" value="{0}"></div>\n'
   if defaultval:
-    outf.write(defstr.format(defaultval))
+    outf.write(defstr.format(html.escape(defaultval)))
   else:
     outf.write('<div>Adventurer\'s Name: <input type="text" name="name"></div>\n')
   return
@@ -124,7 +125,7 @@
   try:
     os.stat(ttyrecbase + formname)
   except OSError:
-    errlist.append(cantfind.format(cgi.escape(formname)))
+    errlist.append(cantfind.format(html.escape(formname)))
     return None
   return formname
 
@@ -139,7 +140,7 @@
   for agame in rlgall.gamelist:
     if agame.uname == formgame:
       return agame
-  errlist.append(cantfind.format(cgi.escape(formgame)))
+  errlist.append(cantfind.format(html.escape(formgame)))
   return None
 
 def processtime(fdata, errlist, hlist):
@@ -156,7 +157,7 @@
     try:
       utime = int(formtime)
     except ValueError:
-      errlist.append(badtime.format(cgi.escape(formtime)))
+      errlist.append(badtime.format(html.escape(formtime)))
       return None
     else:
       if utime < 0:
@@ -261,7 +262,6 @@
   if lerrors:
     errlist.extend(lerrors)
     return None
-  #return calendar.timegm([year, month, day, hour, minute, second, 0, 0, 0])
   return datetime(year, month, day, hour, minute, second, 0, pytz.utc)
 
 # Begin processing
@@ -324,13 +324,13 @@
     sys.stdout.write("<p>No record found.</p>\n")
   elif len(gamefiles) == 1:
     sys.stdout.write('<p><a href="/ttyrecs/{0}/{1}/{2}">1 ttyrec found.</a>\
-        </p>\n'.format(formname, dungeon.uname, gamefiles[0]))
+        </p>\n'.format(html.escape(formname), dungeon.uname, gamefiles[0]))
   else:
     sys.stdout.write('<p>{0}-part ttyrec found.</p>\n'.format(len(gamefiles)))
     sys.stdout.write('<ul>\n')
     for i, afile in enumerate(gamefiles):
       sys.stdout.write('<li><a href="/ttyrecs/{0}/{1}/{2}">Section {3}</a>\
-          </li>\n'.format(formname, dungeon.uname, afile, i + 1))
+          </li>\n'.format(html.escape(formname), dungeon.uname, afile, i + 1))
     sys.stdout.write('</ul>\n')
 if isnotsearch:
   sys.stdout.write(infop)
--- a/web/scoring/players/index.cgi	Mon Mar 24 09:43:28 2014 -0700
+++ b/web/scoring/players/index.cgi	Mon Mar 24 16:01:28 2014 -0700
@@ -2,6 +2,7 @@
 
 import os
 import sys
+import html
 import rlgall
 
 playerdir = "/var/www/lighttpd/scoring/players/"
@@ -26,7 +27,7 @@
 else:
   sys.stdout.write("<ul>\n")
   for name in namelist:
-    sys.stdout.write(linkstr.format(name))
+    sys.stdout.write(linkstr.format(html.escape(name)))
   sys.stdout.write("</ul>\n")
 
 sys.stdout.write(rlgall.pend)