🔒 Fixed another security found out by https://github.com/aplhk

mawoka-myblock · Jan 22, 2024 · 7e11c48 · 7e11c48
1 parent 188a935
commit 7e11c48
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 13 deletions.
diff --git a/classquiz/kahoot_importer/import_quiz.py b/classquiz/kahoot_importer/import_quiz.py
@@ -3,7 +3,6 @@
 # SPDX-License-Identifier: MPL-2.0
 
 
-import html
 import io
 import json
 import uuid
@@ -76,15 +75,15 @@ async def import_quiz(quiz_id: str, user: User) -> Quiz | int:
                 (
                     ABCDQuizAnswer(
                         right=a.correct,
-                        answer=html.unescape(bleach.clean(a.answer, tags=[], strip=True)),
+                        answer=bleach.clean(a.answer, tags=[], strip=True),
                         color=DEFAULT_COLORS[i],
                     )
                 )
             )
 
         quiz_questions.append(
             QuizQuestion(
-                question=html.unescape(bleach.clean(q.question, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True)),
+                question=bleach.clean(q.question, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True),
                 answers=answers,
                 time=str(q.time / 1000),
                 image=image,
@@ -98,8 +97,8 @@ async def import_quiz(quiz_id: str, user: User) -> Quiz | int:
     quiz_data = Quiz(
         id=quiz_id,
         public=False,
-        title=html.unescape(bleach.clean(quiz.kahoot.title, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True)),
-        description=html.unescape(bleach.clean(quiz.kahoot.description, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True)),
+        title=bleach.clean(quiz.kahoot.title, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True),
+        description=bleach.clean(quiz.kahoot.description, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True),
         created_at=datetime.now(),
         updated_at=datetime.now(),
         user_id=user.id,

diff --git a/classquiz/routers/editor.py b/classquiz/routers/editor.py
@@ -4,7 +4,6 @@
 
 
 import asyncio
-import html
 import uuid
 from typing import Optional
 
@@ -81,23 +80,21 @@ async def finish_edit(edit_id: str, quiz_input: QuizInput):
         if question.type == QuizQuestionType.ABCD:
             for i2, answer in enumerate(question.answers):
                 if answer.color is not None:
-                    quiz_input.questions[i].answers[i2].color = html.unescape(
-                        bleach.clean(answer.color, tags=[], strip=True)
-                    )
+                    quiz_input.questions[i].answers[i2].color = bleach.clean(answer.color, tags=[], strip=True)
                 if answer.answer == "":
                     quiz_input.questions[i].answers[i2].answer = None
                 if answer.answer is not None:
-                    quiz_input.questions[i].answers[i2].answer = html.unescape(
-                        bleach.clean(answer.answer, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True)
+                    quiz_input.questions[i].answers[i2].answer = bleach.clean(
+                        answer.answer, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True
                     )
 
     images_to_delete = []
     old_quiz_data: Quiz = await Quiz.objects.get_or_none(id=session_data.quiz_id, user_id=session_data.user_id)
 
     for i, question in enumerate(quiz_input.questions):
         image = question.image
-        quiz_input.questions[i].question = html.unescape(
-            bleach.clean(quiz_input.questions[i].question, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True)
+        quiz_input.questions[i].question = bleach.clean(
+            quiz_input.questions[i].question, tags=ALLOWED_TAGS_FOR_QUIZ, strip=True
         )
         if image == "":
             question.image = None