From ef1a5da22ab6df4b3ac325bf7c263e7673b8fe30 Mon Sep 17 00:00:00 2001 From: Darren Nathanael Date: Sat, 18 Nov 2023 10:34:59 -0600 Subject: [PATCH] API Escape (#241) * chore: add pycaches to gitignore * fix: correct escaping of api responses The API did not respond as intended. :D Co-authored-by: --- .gitignore | 1 + dpaste/views.py | 10 ++++------ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 9b69c0ac..b69a35db 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ dpaste/static/ dpaste.egg-info dpaste.sqlite node_modules +**/__pycache__/ \ No newline at end of file diff --git a/dpaste/views.py b/dpaste/views.py index 2e5fdffa..123c12d9 100644 --- a/dpaste/views.py +++ b/dpaste/views.py @@ -13,6 +13,7 @@ from django.shortcuts import get_object_or_404, render from django.urls import reverse from django.utils import timezone +from django.utils.html import escape from django.utils.cache import add_never_cache_headers, patch_cache_control from django.utils.translation import gettext from django.views.generic import FormView @@ -290,8 +291,7 @@ def post(self, request, *args, **kwargs): # A lexer is given, check if its valid at all if lexer and lexer not in highlight.LEXER_KEYS: return HttpResponseBadRequest( - 'Invalid lexer "%s" given. Valid lexers are: %s' - % (lexer, ", ".join(highlight.LEXER_KEYS)) + f'Invalid lexer choice "{escape(lexer)}" given. Valid lexer values are: {", ".join(highlight.LEXER_KEYS)}' ) # No lexer is given, but we have a filename, try to get the lexer @@ -308,9 +308,7 @@ def post(self, request, *args, **kwargs): expire_options = [str(i) for i in dict(config.EXPIRE_CHOICES)] if expires not in expire_options: return HttpResponseBadRequest( - 'Invalid expire choice "{}" given. Valid values are: {}'.format( - expires, ", ".join(expire_options) - ) + f'Invalid expire choice "{escape(expires)}" given. Valid expire values are: {", ".join(expire_options)}' ) expires, expire_type = get_expire_values(expires) else: @@ -352,4 +350,4 @@ def handler500(request, template_name="dpaste/500.html"): context.update(config.extra_template_context) response = render(request, template_name, context, status=500) add_never_cache_headers(response) - return response + return response \ No newline at end of file