work-items-tracker

Merge lp:~kees/launchpad-work-items-tracker/fix-escaping into lp:launchpad-work-items-tracker

  1. fix-escaping
  2. Merge into trunk
Proposed by Kees Cook
Status: Merged
Merged at revision: not available
Proposed branch: lp:~kees/launchpad-work-items-tracker/fix-escaping
Merge into: lp:launchpad-work-items-tracker
Diff against target: 71 lines (+9/-9)
1 file modified
workitems.py (+9/-9)
To merge this branch: bzr merge lp:~kees/launchpad-work-items-tracker/fix-escaping
Reviewer Review Type Date Requested Status
Developers of work-items-tracker Pending
Review via email: mp+15625@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Kees Cook (kees) wrote :

This should clean up escaping and catch the assignee href XSS

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'workitems.py'
--- workitems.py 2009-12-03 17:28:57 +0000
+++ workitems.py 2009-12-03 19:30:22 +0000
@@ -2,7 +2,7 @@
22
3import urllib, re, sys, optparse, os.path, datetime3import urllib, re, sys, optparse, os.path, datetime
4import sqlite3 as dbapi24import sqlite3 as dbapi2
5from xml.sax.saxutils import escape5from cgi import escape
66
7from launchpadlib.launchpad import Launchpad, EDGE_SERVICE_ROOT7from launchpadlib.launchpad import Launchpad, EDGE_SERVICE_ROOT
88
@@ -431,8 +431,8 @@
431 if bp.startswith('http:') or bp.startswith('https:'):431 if bp.startswith('http:') or bp.startswith('https:'):
432 url = bp432 url = bp
433 else:433 else:
434 url = '%s/ubuntu/+spec/%s' % (blueprints_base_url, escape(bp))434 url = '%s/ubuntu/+spec/%s' % (blueprints_base_url, escape(bp, True))
435 return '<a href="%s">%s</a>' % (url, escape(bp))435 return '<a href="%s">%s</a>' % (url, escape(bp, True))
436436
437def html_format_priority(priority):437def html_format_priority(priority):
438 prio_colors = {438 prio_colors = {
@@ -443,7 +443,7 @@
443 'Essential': 'red'443 'Essential': 'red'
444 }444 }
445445
446 p = escape(priority or '')446 p = escape(priority or '', True)
447 col = prio_colors.get(p)447 col = prio_colors.get(p)
448 if col:448 if col:
449 return '<span style="color: %s">%s</span>' % (col, p)449 return '<span style="color: %s">%s</span>' % (col, p)
@@ -496,7 +496,7 @@
496 bp_html, data[bp][0], data[bp][2],496 bp_html, data[bp][0], data[bp][2],
497 data[bp][1], percent,497 data[bp][1], percent,
498 html_format_priority(data[bp][-1]),498 html_format_priority(data[bp][-1]),
499 escape(data[bp][-2]))499 escape(data[bp][-2], True))
500500
501 print '</table>'501 print '</table>'
502502
@@ -519,9 +519,9 @@
519 completion.sort(key=lambda k: k[0], reverse=False)519 completion.sort(key=lambda k: k[0], reverse=False)
520520
521 for (a, percent) in completion:521 for (a, percent) in completion:
522 url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, a)522 url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, escape(a, True))
523 print ' <tr><td><a href="%s">%s</a></td> <td>%i/%i/%i</td> <td>%i%%</td></tr>' % (523 print ' <tr><td><a href="%s">%s</a></td> <td>%i/%i/%i</td> <td>%i%%</td></tr>' % (
524 url, escape(a), len(data[a][0]), len(data[a][2]),524 url, escape(a, True), len(data[a][0]), len(data[a][2]),
525 len(data[a][1]), percent)525 len(data[a][1]), percent)
526 print '</table>'526 print '</table>'
527527
@@ -541,7 +541,7 @@
541 todo_len = len(todo)541 todo_len = len(todo)
542 postponed_len = len(postponed)542 postponed_len = len(postponed)
543 done_len = len(done)543 done_len = len(done)
544 url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, a)544 url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, escape(a, True))
545 rows = ['<td rowspan="%s">todo</td>' % todo_len,545 rows = ['<td rowspan="%s">todo</td>' % todo_len,
546 '<td rowspan="%s">postponed</td>' % postponed_len,546 '<td rowspan="%s">postponed</td>' % postponed_len,
547 '<td rowspan="%s">done</td>' % done_len]547 '<td rowspan="%s">done</td>' % done_len]
@@ -553,7 +553,7 @@
553 print ' <tr>',553 print ' <tr>',
554 if not printed_assignee:554 if not printed_assignee:
555 print '<td rowspan="%s"><a href="%s">%s</a></td> ' % (555 print '<td rowspan="%s"><a href="%s">%s</a></td> ' % (
556 todo_len+postponed_len+done_len, url, escape(a)),556 todo_len+postponed_len+done_len, url, escape(a, True)),
557 printed_assignee = True557 printed_assignee = True
558 if not printed_status:558 if not printed_status:
559 print rows[i]559 print rows[i]

Subscribers

People subscribed via source and target branches

to all changes: