Escape the player's name when printing it into HTML.

Non-alphanumeric characters in names may eventually be possible.
2014-03-24 16:01:28 -07:00 · 2014-03-24 16:01:28 -07:00 · d67561aa42
commit d67561aa42
parent 3d7abba670
3 changed files with 20 additions and 20 deletions
--- a/py/rlgall.py
+++ b/py/rlgall.py
@ -7,6 +7,7 @@ import os
 import psycopg2
 from datetime import datetime
 import pytz
+import html

 # Configuration
 logdir = "/var/dgl/var/games/roguelike/"
@ -74,14 +75,10 @@ def recnameToTS(filename):
  except ValueError:
    return None

-def ttyreclink(text, name, game, gtime):
-  "Returns a link to the ttyrec archivist"
-  lstr = '<a href="/archive.cgi?name={0};game={1};time={2}">{3}</a>'
-  return lstr.format(name, game, gtime, text)
-
 def playerlink(name):
  "Returns a link to a player's page"
-  lstr = '<a href="/scoring/players/' + name + '.html">' + name + '</a>'
+  escname = html.escape(name)
+  lstr = '<a href="/scoring/players/' + escname + '.html">' + escname + '</a>'
  return lstr

 def linktoArchive(entry):
@ -89,7 +86,8 @@ def linktoArchive(entry):
  lstr = '<a href="/archive.cgi?name={0};game={1};time={2}">{3}</a>'
  linktext = entry["endt"].strftime("%Y/%m/%d %H:%M:%S")
  stamp = int(entry["endt"].timestamp())
-  return lstr.format(entry["name"], entry["game"].uname, stamp, linktext)
+  escname = html.escape(entry["name"])
+  return lstr.format(escname, entry["game"].uname, stamp, linktext)

 def maketablerow(cells, isheader=None):
  "Takes a list of strings and returns a HTML table row with each string \
@ -525,16 +523,17 @@ def playerpage(pname):
  "Generate a player's HTML page"
  # Write the beginning of the page
  ppagefi = open(ppagename.format(pname), "w", encoding="utf-8")
-  ppagefi.write(phead.format(pname))
+  cleanpname = html.escape(pname)
+  ppagefi.write(phead.format(cleanpname))
  ppagefi.write(ptop)
-  ppagefi.write(navplayer.format(pname))
-  ppagefi.write(pti.format("Results for " + pname))
+  ppagefi.write(navplayer.format(cleanpname))
+  ppagefi.write(pti.format("Results for " + cleanpname))
  for game in gamelist:
    ppagefi.write(secthead.format(game.name))
    entries = game.getPlayer(pname)
    if not entries:
-      ppagefi.write("<div>" + pname + " has not yet completed an expedition\
-        in this dungeon.</div>\n")
+      ppagefi.write("<div>" + cleanpname + " has not yet completed an " +
+                    "expedition in this dungeon.</div>\n")
    else:
      entries.sort(key=lambda e: e["endt"])
      printTable(entries, game.pfields, ppagefi)
--- a/web/archive.cgi
+++ b/web/archive.cgi
@ -7,6 +7,7 @@ import time
 import calendar
 from datetime import datetime
 import pytz
+import html
 import rlgall
 #import cgitb

@ -36,7 +37,7 @@ def input_game(outf, selected=None):
 def input_name(outf, defaultval=None):
  defstr = '<div>Adventurer\'s name: <input type="text" name="name" value="{0}"></div>\n'
  if defaultval:
-    outf.write(defstr.format(defaultval))
+    outf.write(defstr.format(html.escape(defaultval)))
  else:
    outf.write('<div>Adventurer\'s Name: <input type="text" name="name"></div>\n')
  return
@ -124,7 +125,7 @@ def processname(fdata, errlist):
  try:
    os.stat(ttyrecbase + formname)
  except OSError:
-    errlist.append(cantfind.format(cgi.escape(formname)))
+    errlist.append(cantfind.format(html.escape(formname)))
    return None
  return formname

@ -139,7 +140,7 @@ def processgame(fdata, errlist):
  for agame in rlgall.gamelist:
    if agame.uname == formgame:
      return agame
-  errlist.append(cantfind.format(cgi.escape(formgame)))
+  errlist.append(cantfind.format(html.escape(formgame)))
  return None

 def processtime(fdata, errlist, hlist):
@ -156,7 +157,7 @@ def processtime(fdata, errlist, hlist):
    try:
      utime = int(formtime)
    except ValueError:
-      errlist.append(badtime.format(cgi.escape(formtime)))
+      errlist.append(badtime.format(html.escape(formtime)))
      return None
    else:
      if utime < 0:
@ -261,7 +262,6 @@ def processtime(fdata, errlist, hlist):
  if lerrors:
    errlist.extend(lerrors)
    return None
-  #return calendar.timegm([year, month, day, hour, minute, second, 0, 0, 0])
  return datetime(year, month, day, hour, minute, second, 0, pytz.utc)

 # Begin processing
@ -324,13 +324,13 @@ if dosearch:
    sys.stdout.write("<p>No record found.</p>\n")
  elif len(gamefiles) == 1:
    sys.stdout.write('<p><a href="/ttyrecs/{0}/{1}/{2}">1 ttyrec found.</a>\
-        </p>\n'.format(formname, dungeon.uname, gamefiles[0]))
+        </p>\n'.format(html.escape(formname), dungeon.uname, gamefiles[0]))
  else:
    sys.stdout.write('<p>{0}-part ttyrec found.</p>\n'.format(len(gamefiles)))
    sys.stdout.write('<ul>\n')
    for i, afile in enumerate(gamefiles):
      sys.stdout.write('<li><a href="/ttyrecs/{0}/{1}/{2}">Section {3}</a>\
-          </li>\n'.format(formname, dungeon.uname, afile, i + 1))
+          </li>\n'.format(html.escape(formname), dungeon.uname, afile, i + 1))
    sys.stdout.write('</ul>\n')
 if isnotsearch:
  sys.stdout.write(infop)
--- a/web/scoring/players/index.cgi
+++ b/web/scoring/players/index.cgi
@ -2,6 +2,7 @@

 import os
 import sys
+import html
 import rlgall

 playerdir = "/var/www/lighttpd/scoring/players/"
@ -26,7 +27,7 @@ if not namelist:
 else:
  sys.stdout.write("<ul>\n")
  for name in namelist:
-    sys.stdout.write(linkstr.format(name))
+    sys.stdout.write(linkstr.format(html.escape(name)))
  sys.stdout.write("</ul>\n")

 sys.stdout.write(rlgall.pend)