Escape the player's name when printing it into HTML.

Non-alphanumeric characters in names may eventually be possible.
2014-03-24 16:01:28 -07:00 · 2014-03-24 16:01:28 -07:00 · d67561aa42
commit d67561aa42
parent 3d7abba670
3 changed files with 20 additions and 20 deletions
--- a/py/rlgall.py
+++ b/py/rlgall.py
@ -7,6 +7,7 @@ import os
 import psycopg2
 from datetime import datetime
 import pytz
+import html

 # Configuration
 logdir = "/var/dgl/var/games/roguelike/"
@ -74,14 +75,10 @@ def recnameToTS(filename):
  except ValueError:
    return None

-def ttyreclink(text, name, game, gtime):
-  "Returns a link to the ttyrec archivist"
-  lstr = '<a href="/archive.cgi?name={0};game={1};time={2}">{3}</a>'
-  return lstr.format(name, game, gtime, text)
-
 def playerlink(name):
  "Returns a link to a player's page"
-  lstr = '<a href="/scoring/players/' + name + '.html">' + name + '</a>'
+  escname = html.escape(name)
+  lstr = '<a href="/scoring/players/' + escname + '.html">' + escname + '</a>'
  return lstr

 def linktoArchive(entry):
@ -89,7 +86,8 @@ def linktoArchive(entry):
  lstr = '<a href="/archive.cgi?name={0};game={1};time={2}">{3}</a>'
  linktext = entry["endt"].strftime("%Y/%m/%d %H:%M:%S")
  stamp = int(entry["endt"].timestamp())
-  return lstr.format(entry["name"], entry["game"].uname, stamp, linktext)
+  escname = html.escape(entry["name"])
+  return lstr.format(escname, entry["game"].uname, stamp, linktext)

 def maketablerow(cells, isheader=None):
  "Takes a list of strings and returns a HTML table row with each string \
@ -525,16 +523,17 @@ def playerpage(pname):
  "Generate a player's HTML page"
  # Write the beginning of the page
  ppagefi = open(ppagename.format(pname), "w", encoding="utf-8")
-  ppagefi.write(phead.format(pname))
+  cleanpname = html.escape(pname)
+  ppagefi.write(phead.format(cleanpname))
  ppagefi.write(ptop)
-  ppagefi.write(navplayer.format(pname))
-  ppagefi.write(pti.format("Results for " + pname))
+  ppagefi.write(navplayer.format(cleanpname))
+  ppagefi.write(pti.format("Results for " + cleanpname))
  for game in gamelist:
    ppagefi.write(secthead.format(game.name))
    entries = game.getPlayer(pname)
    if not entries:
-      ppagefi.write("<div>" + pname + " has not yet completed an expedition\
-        in this dungeon.</div>\n")
+      ppagefi.write("<div>" + cleanpname + " has not yet completed an " +
+                    "expedition in this dungeon.</div>\n")
    else:
      entries.sort(key=lambda e: e["endt"])
      printTable(entries, game.pfields, ppagefi)