ryg/royalnet
ryg/royalnet
1
Fork 0
mirror of https://github.com/RYGhub/royalnet.git synced 2024-11-27 13:34:28 +00:00
Code Activity

do not escape css

Browse source
This commit is contained in:
Steffo 2018-06-05 15:11:58 +02:00
parent 046e9c1d61
commit 06ea2df92c
2 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
templates/profile.html
View file

@ -7,7 +7,9 @@
{% block posthead %} {% block posthead %}
{% if css %} {% if css %}
<style> <style>
{{ css.css }} {% autoescape false %}
{{ css.css }}
{% endautoescape %}
</style> </style>
{% endif %} {% endif %}
{% endblock %} {% endblock %}

6
webserver.py
View file

@ -107,8 +107,12 @@ def page_setcss():
if user_id is None: if user_id is None:
abort(403) abort(403)
return return
css = request.form.get("css", "")
if "<style" in css:
abort(400)
return
if ccss is None: if ccss is None:
ccss = db.CustomCSS(royal_id=user_id, css=request.form.get("css", "")) ccss = db.CustomCSS(royal_id=user_id, css=css)
db_session.add(ccss) db_session.add(ccss)
else: else:
ccss.css = request.form.get("css", "") ccss.css = request.form.get("css", "")