Fix HTML markup in Flash messages

andersk · andersk · commit 3ac42f90dcb6 · 2018-06-15T16:00:11.000-04:00
Signed-off-by: Anders Kaseorg &lt;andersk@mit.edu&gt;
diff --git a/scripts/auth.py b/scripts/auth.py
@@ -3,6 +3,7 @@
 from decorator import decorator
 import pwd, os
 import re
+import cgi
 
 import webob.exc
 
@@ -14,9 +15,8 @@
 def html(s):
     return '<html>'+s
 # Monkeypatch to prevent webflash from escaping HTML conditionally
-import webflash
-html_escape = webflash.html_escape
-webflash.html_escape = lambda s: s[len('<html>'):] if s.startswith('<html>') else html_escape(s)
+import sys, tg.flash
+sys.modules['tg.flash'].escape = lambda s: s[len('<html>'):] if s.startswith('<html>') else cgi.escape(s)
 
 def current_user():
     return getattr(state,'username',None)
@@ -70,7 +70,7 @@ def validate_locker(locker,team_ok=False,sudo_ok=False):
         try:
             pwd.getpwnam(locker)
         except KeyError:
-            raise AuthError(html("""The '%s' locker is not signed up for scripts.mit.edu; <a href="http://scripts.mit.edu/web/">sign it up</a> first."""%locker))
+            raise AuthError(html("""The '%s' locker is not signed up for scripts.mit.edu; <a href="http://scripts.mit.edu/web/">sign it up</a> first."""%cgi.escape(locker)))
         if ((not team_ok or not on_scripts_team())
             and (not sudo_ok or not getattr(state,'sudo',False))
             and not can_admin(locker)):
diff --git a/scriptspony/vhosts.py b/scriptspony/vhosts.py
@@ -7,6 +7,7 @@
 import random
 import string
 from decorator import decorator
+import cgi
 
 import tg
 
@@ -253,12 +254,12 @@ def validate_hostname(hostname,locker):
                 connection.close()
                 if status.status != httplib.OK:
                     raise UserError(auth.html("'%s' does not point at scripts-vhosts. If you want to continue anyway, please create a file called '%s' in the root directory of the site. See <a href='http://scripts.mit.edu/faq/132/can-i-add-a-vhost-before-i-point-my-domain-at-scripts' target='_blank'>the FAQ</a> for more information."
-                                    % (hostname,check_file)))
+                                    % (cgi.escape(hostname),cgi.escape(check_file))))
             except socket.gaierror:
                 raise UserError("'%s' does not exist." % hostname)
             except (httplib.HTTPException, socket.error):
                 raise UserError(auth.html("'%s' does not point at scripts-vhosts, and appears to have no running webserver. Please see <a href='http://scripts.mit.edu/faq/132/can-i-add-a-vhost-before-i-point-my-domain-at-scripts' target='_blank'>the FAQ</a> for more information."
-                                % hostname))
+                                % cgi.escape(hostname)))
 
     return hostname,reqtype
 
