kopia lustrzana https://github.com/simonw/datasette
Turn on auto-escaping in Jinja
We had XSS holes! Since we don't do cookies or authentication they shouldn't cause any actual harm, but still really not good. https://github.com/pallets/jinja/issues/528pull/107/head^2
rodzic
a4af532a31
commit
82261a638b
|
@ -610,7 +610,8 @@ class Datasette:
|
||||||
app,
|
app,
|
||||||
loader=FileSystemLoader([
|
loader=FileSystemLoader([
|
||||||
str(app_root / 'datasette' / 'templates')
|
str(app_root / 'datasette' / 'templates')
|
||||||
])
|
]),
|
||||||
|
autoescape=True,
|
||||||
)
|
)
|
||||||
self.jinja.add_env('escape_css_string', escape_css_string, 'filters')
|
self.jinja.add_env('escape_css_string', escape_css_string, 'filters')
|
||||||
self.jinja.add_env('quote_plus', lambda u: urllib.parse.quote_plus(u), 'filters')
|
self.jinja.add_env('quote_plus', lambda u: urllib.parse.quote_plus(u), 'filters')
|
||||||
|
|
Ładowanie…
Reference in New Issue