diff --git a/Website/__init__.py b/Website/__init__.py index 5d9bae9..a3fc975 100644 --- a/Website/__init__.py +++ b/Website/__init__.py @@ -3,8 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_ from flask_socketio import SocketIO, join_room, leave_room from flask_session import Session from markupsafe import escape -from .db import get_db -import .db as db +from Website.db import get_db +import Website.db as db from datetime import datetime finished = None preis = 150 #Ein Getraenk @@ -55,7 +55,7 @@ def create_app(test_config=None): c = db.cursor() c.execute("SELECT * FROM users") users = c.fetchall() - return render_template("list.html", users=users, preis=preis/100) + return render_template("list.html", users=escape(users), preis=escape(preis/100)) @app.route("/transactionlist") def transactionlist(): @@ -115,7 +115,7 @@ def create_app(test_config=None): if user != None : c.execute(f"SELECT * FROM tags WHERE userid={user[0]}") tags = c.fetchall() - return render_template("user.html", user=user, tags=tags) + return render_template("user.html", user=escape(user), tags=escape(tags)) else: return render_template("error.html", error_code="043") @@ -135,7 +135,7 @@ def create_app(test_config=None): user_name = user[1] db.remove_user(user_id) socketio.emit("update", "update") - return render_template("removeuser.html", user_name=user_name) + return render_template("removeuser.html", user_name=escape(user_name)) else: return render_template("error.html", error_code="043") @@ -185,7 +185,7 @@ def create_app(test_config=None): session_id = uuid.uuid4() session[id] = session_id user_queue.put([user_id, "add", session_id]) - return render_template("addtag.html", user=user_id) + return render_template("addtag.html", user=escape(user_id)) @socketio.on('addtag') def request_addtag(data): @@ -226,7 +226,7 @@ def create_app(test_config=None): session_id = uuid.uuid4() session[id] = session_id user_queue.put([user_id, "remove", session_id]) - return render_template("removetag.html", user=user_id) + return render_template("removetag.html", user=escape(user_id)) else: db = get_db() c = db.cursor() diff --git a/tests/test_website.py b/tests/test_website.py index a8359a4..4f985b3 100644 --- a/tests/test_website.py +++ b/tests/test_website.py @@ -23,14 +23,14 @@ def test_index(client): #/adduser def test_adduser(client): - response = client.get('/adduser/user') + response = client.post('/adduser/user', data={}) assert "418" in response.data.decode('utf-8') def test_adduser_new(app, client): with app.app_context(): db = get_db() assert db is get_db() - response = client.get('/adduser/user?username=test') + response = client.post('/adduser/user', data={user_name:"test"}) c = db.cursor() c.execute("SELECT * FROM users WHERE username = ?", ["test"]) data = c.fetchone() @@ -40,7 +40,7 @@ def test_adduser_new(app, client): assert data[2] == 0 def test_adduser_allreadyexists(client): - response = client.get('/adduser/user?username=test') + response = client.post('/adduser/user', data={username:"test"}) assert "Error: 757" in response.data.decode('utf-8') #/addtag @@ -49,7 +49,7 @@ def test_addtag(client): assert response.data.decode('utf-8') == "Error: 095" def test_addtag_userid_nan(client): - response = client.get('/addtag?id=test') + response = client.post('/addtag', data={id:1}) assert response.data.decode('utf-8') == "Error: 095" def test_add_tag_direktli(app): @@ -166,4 +166,4 @@ def test_sqlinjektion_adduser(app, client): assert data[1] == i assert data[2] == 0 assert "tag was sucsesfully added" in response.data.decode('utf-8') - count += 1 \ No newline at end of file + count += 1