AHHH escape
This commit is contained in:
parent
ce009a278b
commit
f691e7534d
|
|
@ -3,8 +3,8 @@ from flask import Flask, render_template, render_template_string, request, make_
|
||||||
from flask_socketio import SocketIO, join_room, leave_room
|
from flask_socketio import SocketIO, join_room, leave_room
|
||||||
from flask_session import Session
|
from flask_session import Session
|
||||||
from markupsafe import escape
|
from markupsafe import escape
|
||||||
from .db import get_db
|
from Website.db import get_db
|
||||||
import .db as db
|
import Website.db as db
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
finished = None
|
finished = None
|
||||||
preis = 150 #Ein Getraenk
|
preis = 150 #Ein Getraenk
|
||||||
|
|
@ -55,7 +55,7 @@ def create_app(test_config=None):
|
||||||
c = db.cursor()
|
c = db.cursor()
|
||||||
c.execute("SELECT * FROM users")
|
c.execute("SELECT * FROM users")
|
||||||
users = c.fetchall()
|
users = c.fetchall()
|
||||||
return render_template("list.html", users=users, preis=preis/100)
|
return render_template("list.html", users=escape(users), preis=escape(preis/100))
|
||||||
|
|
||||||
@app.route("/transactionlist")
|
@app.route("/transactionlist")
|
||||||
def transactionlist():
|
def transactionlist():
|
||||||
|
|
@ -115,7 +115,7 @@ def create_app(test_config=None):
|
||||||
if user != None :
|
if user != None :
|
||||||
c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
|
c.execute(f"SELECT * FROM tags WHERE userid={user[0]}")
|
||||||
tags = c.fetchall()
|
tags = c.fetchall()
|
||||||
return render_template("user.html", user=user, tags=tags)
|
return render_template("user.html", user=escape(user), tags=escape(tags))
|
||||||
|
|
||||||
else:
|
else:
|
||||||
return render_template("error.html", error_code="043")
|
return render_template("error.html", error_code="043")
|
||||||
|
|
@ -135,7 +135,7 @@ def create_app(test_config=None):
|
||||||
user_name = user[1]
|
user_name = user[1]
|
||||||
db.remove_user(user_id)
|
db.remove_user(user_id)
|
||||||
socketio.emit("update", "update")
|
socketio.emit("update", "update")
|
||||||
return render_template("removeuser.html", user_name=user_name)
|
return render_template("removeuser.html", user_name=escape(user_name))
|
||||||
else:
|
else:
|
||||||
return render_template("error.html", error_code="043")
|
return render_template("error.html", error_code="043")
|
||||||
|
|
||||||
|
|
@ -185,7 +185,7 @@ def create_app(test_config=None):
|
||||||
session_id = uuid.uuid4()
|
session_id = uuid.uuid4()
|
||||||
session[id] = session_id
|
session[id] = session_id
|
||||||
user_queue.put([user_id, "add", session_id])
|
user_queue.put([user_id, "add", session_id])
|
||||||
return render_template("addtag.html", user=user_id)
|
return render_template("addtag.html", user=escape(user_id))
|
||||||
|
|
||||||
@socketio.on('addtag')
|
@socketio.on('addtag')
|
||||||
def request_addtag(data):
|
def request_addtag(data):
|
||||||
|
|
@ -226,7 +226,7 @@ def create_app(test_config=None):
|
||||||
session_id = uuid.uuid4()
|
session_id = uuid.uuid4()
|
||||||
session[id] = session_id
|
session[id] = session_id
|
||||||
user_queue.put([user_id, "remove", session_id])
|
user_queue.put([user_id, "remove", session_id])
|
||||||
return render_template("removetag.html", user=user_id)
|
return render_template("removetag.html", user=escape(user_id))
|
||||||
else:
|
else:
|
||||||
db = get_db()
|
db = get_db()
|
||||||
c = db.cursor()
|
c = db.cursor()
|
||||||
|
|
|
||||||
|
|
@ -23,14 +23,14 @@ def test_index(client):
|
||||||
|
|
||||||
#/adduser
|
#/adduser
|
||||||
def test_adduser(client):
|
def test_adduser(client):
|
||||||
response = client.get('/adduser/user')
|
response = client.post('/adduser/user', data={})
|
||||||
assert "418" in response.data.decode('utf-8')
|
assert "418" in response.data.decode('utf-8')
|
||||||
|
|
||||||
def test_adduser_new(app, client):
|
def test_adduser_new(app, client):
|
||||||
with app.app_context():
|
with app.app_context():
|
||||||
db = get_db()
|
db = get_db()
|
||||||
assert db is get_db()
|
assert db is get_db()
|
||||||
response = client.get('/adduser/user?username=test')
|
response = client.post('/adduser/user', data={user_name:"test"})
|
||||||
c = db.cursor()
|
c = db.cursor()
|
||||||
c.execute("SELECT * FROM users WHERE username = ?", ["test"])
|
c.execute("SELECT * FROM users WHERE username = ?", ["test"])
|
||||||
data = c.fetchone()
|
data = c.fetchone()
|
||||||
|
|
@ -40,7 +40,7 @@ def test_adduser_new(app, client):
|
||||||
assert data[2] == 0
|
assert data[2] == 0
|
||||||
|
|
||||||
def test_adduser_allreadyexists(client):
|
def test_adduser_allreadyexists(client):
|
||||||
response = client.get('/adduser/user?username=test')
|
response = client.post('/adduser/user', data={username:"test"})
|
||||||
assert "Error: 757" in response.data.decode('utf-8')
|
assert "Error: 757" in response.data.decode('utf-8')
|
||||||
|
|
||||||
#/addtag
|
#/addtag
|
||||||
|
|
@ -49,7 +49,7 @@ def test_addtag(client):
|
||||||
assert response.data.decode('utf-8') == "Error: 095"
|
assert response.data.decode('utf-8') == "Error: 095"
|
||||||
|
|
||||||
def test_addtag_userid_nan(client):
|
def test_addtag_userid_nan(client):
|
||||||
response = client.get('/addtag?id=test')
|
response = client.post('/addtag', data={id:1})
|
||||||
assert response.data.decode('utf-8') == "Error: 095"
|
assert response.data.decode('utf-8') == "Error: 095"
|
||||||
|
|
||||||
def test_add_tag_direktli(app):
|
def test_add_tag_direktli(app):
|
||||||
|
|
@ -166,4 +166,4 @@ def test_sqlinjektion_adduser(app, client):
|
||||||
assert data[1] == i
|
assert data[1] == i
|
||||||
assert data[2] == 0
|
assert data[2] == 0
|
||||||
assert "tag was sucsesfully added" in response.data.decode('utf-8')
|
assert "tag was sucsesfully added" in response.data.decode('utf-8')
|
||||||
count += 1
|
count += 1
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue