Avoid XSS
authorhiro
Thu, 21 Oct 2010 00:58:13 +0900
changeset 22 ef771cbc53f1
parent 21 e2cfd180bec8
child 23 d6c6049b1699
Avoid XSS
src/unicorn_ui.py
--- a/src/unicorn_ui.py	Wed Sep 29 10:45:25 2010 -0400
+++ b/src/unicorn_ui.py	Thu Oct 21 00:58:13 2010 +0900
@@ -1,13 +1,16 @@
 # -*- coding: utf-8 -*-
 
 """
+
+Unicorn Interface for Red Cacheability Checker
+
 Created on Jun 30, 2010
-
 @author: Hirotaka Nakajima <[email protected]>
 
 """
 import sys
 import os
+# Add working directory to Python path
 sys.path.append(os.path.dirname(os.path.abspath(__file__)))
 from red import ResourceExpertDroid
 from xml.dom import minidom
@@ -19,7 +22,6 @@
 import logging
 from string import Template
 
-
 __date__ = "Jun 30, 2010"
 __author__ = "Hirotaka Nakajima <[email protected]>"
 
@@ -162,7 +164,12 @@
         for q in query:
             if len(q) == 2:
                 if q[0] == "ca_uri":
-                    test_uri = q[1]
+                    uri = q[1]
+                    # avoid xss
+                    xs_dict = {r'"':'&quat;', r'<':'&lt', r'>':'&gt', r'&':'&amp;'}
+                    for str in xs_dict.keys():
+                        uri = re.sub(str, xs_dict[str], uri)
+                    test_uri = uri
                 if q[0] == "output":
                     if q[1] == "ucn":
                         run_engine = True