Escape the player's name when printing it into HTML.
Non-alphanumeric characters in names may eventually be possible.
This commit is contained in:
John "Elwin" Edwards
parent
3d7abba670
commit
d67561aa42
3 changed files with 20 additions and 20 deletions
|
|
@ -7,6 +7,7 @@ import time
|
|||
import calendar
|
||||
from datetime import datetime
|
||||
import pytz
|
||||
import html
|
||||
import rlgall
|
||||
#import cgitb
|
||||
|
||||
|
|
@ -36,7 +37,7 @@ def input_game(outf, selected=None):
|
|||
def input_name(outf, defaultval=None):
|
||||
defstr = '<div>Adventurer\'s name: <input type="text" name="name" value="{0}"></div>\n'
|
||||
if defaultval:
|
||||
outf.write(defstr.format(defaultval))
|
||||
outf.write(defstr.format(html.escape(defaultval)))
|
||||
else:
|
||||
outf.write('<div>Adventurer\'s Name: <input type="text" name="name"></div>\n')
|
||||
return
|
||||
|
|
@ -124,7 +125,7 @@ def processname(fdata, errlist):
|
|||
try:
|
||||
os.stat(ttyrecbase + formname)
|
||||
except OSError:
|
||||
errlist.append(cantfind.format(cgi.escape(formname)))
|
||||
errlist.append(cantfind.format(html.escape(formname)))
|
||||
return None
|
||||
return formname
|
||||
|
||||
|
|
@ -139,7 +140,7 @@ def processgame(fdata, errlist):
|
|||
for agame in rlgall.gamelist:
|
||||
if agame.uname == formgame:
|
||||
return agame
|
||||
errlist.append(cantfind.format(cgi.escape(formgame)))
|
||||
errlist.append(cantfind.format(html.escape(formgame)))
|
||||
return None
|
||||
|
||||
def processtime(fdata, errlist, hlist):
|
||||
|
|
@ -156,7 +157,7 @@ def processtime(fdata, errlist, hlist):
|
|||
try:
|
||||
utime = int(formtime)
|
||||
except ValueError:
|
||||
errlist.append(badtime.format(cgi.escape(formtime)))
|
||||
errlist.append(badtime.format(html.escape(formtime)))
|
||||
return None
|
||||
else:
|
||||
if utime < 0:
|
||||
|
|
@ -261,7 +262,6 @@ def processtime(fdata, errlist, hlist):
|
|||
if lerrors:
|
||||
errlist.extend(lerrors)
|
||||
return None
|
||||
#return calendar.timegm([year, month, day, hour, minute, second, 0, 0, 0])
|
||||
return datetime(year, month, day, hour, minute, second, 0, pytz.utc)
|
||||
|
||||
# Begin processing
|
||||
|
|
@ -324,13 +324,13 @@ if dosearch:
|
|||
sys.stdout.write("<p>No record found.</p>\n")
|
||||
elif len(gamefiles) == 1:
|
||||
sys.stdout.write('<p><a href="/ttyrecs/{0}/{1}/{2}">1 ttyrec found.</a>\
|
||||
</p>\n'.format(formname, dungeon.uname, gamefiles[0]))
|
||||
</p>\n'.format(html.escape(formname), dungeon.uname, gamefiles[0]))
|
||||
else:
|
||||
sys.stdout.write('<p>{0}-part ttyrec found.</p>\n'.format(len(gamefiles)))
|
||||
sys.stdout.write('<ul>\n')
|
||||
for i, afile in enumerate(gamefiles):
|
||||
sys.stdout.write('<li><a href="/ttyrecs/{0}/{1}/{2}">Section {3}</a>\
|
||||
</li>\n'.format(formname, dungeon.uname, afile, i + 1))
|
||||
</li>\n'.format(html.escape(formname), dungeon.uname, afile, i + 1))
|
||||
sys.stdout.write('</ul>\n')
|
||||
if isnotsearch:
|
||||
sys.stdout.write(infop)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue