kopia lustrzana https://github.com/simonw/datasette
Correctly escape output of ?_trace, refs #1360
rodzic
ff29dd55fa
commit
8f311d6c1d
|
@ -1,5 +1,6 @@
|
||||||
import asyncio
|
import asyncio
|
||||||
from contextlib import contextmanager
|
from contextlib import contextmanager
|
||||||
|
from markupsafe import escape
|
||||||
import time
|
import time
|
||||||
import json
|
import json
|
||||||
import traceback
|
import traceback
|
||||||
|
@ -123,7 +124,7 @@ class AsgiTracer:
|
||||||
except IndexError:
|
except IndexError:
|
||||||
content_type = ""
|
content_type = ""
|
||||||
if "text/html" in content_type and b"</body>" in accumulated_body:
|
if "text/html" in content_type and b"</body>" in accumulated_body:
|
||||||
extra = json.dumps(trace_info, indent=2)
|
extra = escape(json.dumps(trace_info, indent=2))
|
||||||
extra_html = f"<pre>{extra}</pre></body>".encode("utf8")
|
extra_html = f"<pre>{extra}</pre></body>".encode("utf8")
|
||||||
accumulated_body = accumulated_body.replace(b"</body>", extra_html)
|
accumulated_body = accumulated_body.replace(b"</body>", extra_html)
|
||||||
elif "json" in content_type and accumulated_body.startswith(b"{"):
|
elif "json" in content_type and accumulated_body.startswith(b"{"):
|
||||||
|
|
|
@ -1699,3 +1699,9 @@ def test_unavailable_table_does_not_break_sort_relationships():
|
||||||
) as client:
|
) as client:
|
||||||
response = client.get("/?_sort=relationships")
|
response = client.get("/?_sort=relationships")
|
||||||
assert response.status == 200
|
assert response.status == 200
|
||||||
|
|
||||||
|
|
||||||
|
def test_trace_correctly_escaped(app_client):
|
||||||
|
response = app_client.get("/fixtures?sql=select+'<h1>Hello'&_trace=1")
|
||||||
|
assert "select '<h1>Hello" not in response.text
|
||||||
|
assert "select '<h1>Hello" in response.text
|
||||||
|
|
Ładowanie…
Reference in New Issue