1
Fork 0
mirror of https://github.com/RYGhub/royalnet.git synced 2024-11-27 13:34:28 +00:00

do not escape css

This commit is contained in:
Steffo 2018-06-05 15:11:58 +02:00
parent 046e9c1d61
commit 06ea2df92c
2 changed files with 8 additions and 2 deletions

View file

@ -7,7 +7,9 @@
{% block posthead %}
{% if css %}
<style>
{% autoescape false %}
{{ css.css }}
{% endautoescape %}
</style>
{% endif %}
{% endblock %}

View file

@ -107,8 +107,12 @@ def page_setcss():
if user_id is None:
abort(403)
return
css = request.form.get("css", "")
if "<style" in css:
abort(400)
return
if ccss is None:
ccss = db.CustomCSS(royal_id=user_id, css=request.form.get("css", ""))
ccss = db.CustomCSS(royal_id=user_id, css=css)
db_session.add(ccss)
else:
ccss.css = request.form.get("css", "")