kopia lustrzana https://github.com/simonw/datasette
Turn on auto-escaping in Jinja
We had XSS holes! Since we don't do cookies or authentication they shouldn't cause any actual harm, but still really not good. https://github.com/pallets/jinja/issues/528pull/107/head^2
rodzic
a4af532a31
commit
82261a638b
|
@ -610,7 +610,8 @@ class Datasette:
|
|||
app,
|
||||
loader=FileSystemLoader([
|
||||
str(app_root / 'datasette' / 'templates')
|
||||
])
|
||||
]),
|
||||
autoescape=True,
|
||||
)
|
||||
self.jinja.add_env('escape_css_string', escape_css_string, 'filters')
|
||||
self.jinja.add_env('quote_plus', lambda u: urllib.parse.quote_plus(u), 'filters')
|
||||
|
|
Ładowanie…
Reference in New Issue