1 | # coding: utf-8 |
||
2 | import html |
||
3 | from datetime import timedelta |
||
4 | |||
5 | from modernrpc.handlers import JSONRPCHandler, XMLRPCHandler |
||
6 | |||
7 | |||
8 | class KiwiTCMSJsonRpcHandler(JSONRPCHandler): |
||
9 | @staticmethod |
||
10 | def escape_dict(result_dict): |
||
11 | for (key, value) in result_dict.items(): |
||
12 | if isinstance(value, str): |
||
13 | result_dict[key] = html.escape(value) |
||
14 | elif isinstance(value, timedelta): |
||
15 | result_dict[key] = value.total_seconds() |
||
16 | |||
17 | @staticmethod |
||
18 | def escape_list(result_list): |
||
19 | for (index, item) in enumerate(result_list): |
||
20 | if isinstance(item, str): |
||
21 | result_list[index] = html.escape(item) |
||
22 | elif isinstance(item, timedelta): |
||
23 | result_list[index] = item.total_seconds() |
||
24 | elif isinstance(item, dict): |
||
25 | __class__.escape_dict(item) |
||
0 ignored issues
–
show
Comprehensibility
Best Practice
introduced
by
Loading history...
|
|||
26 | |||
27 | def execute_procedure(self, name, args=None, kwargs=None): |
||
28 | """ |
||
29 | HTML escape every string before returning it to |
||
30 | the client, which may as well be the webUI. This will |
||
31 | prevent XSS attacks for pages which display whatever |
||
32 | is in the DB (e.g. tags, components) |
||
33 | """ |
||
34 | result = super().execute_procedure(name, args, kwargs) |
||
35 | |||
36 | if isinstance(result, str): |
||
37 | result = html.escape(result) |
||
38 | elif isinstance(result, timedelta): |
||
39 | result = result.total_seconds() |
||
40 | elif isinstance(result, dict): |
||
41 | self.escape_dict(result) |
||
42 | elif isinstance(result, list): |
||
43 | self.escape_list(result) |
||
44 | |||
45 | return result |
||
46 | |||
47 | |||
48 | class KiwiTCMSXmlRpcHandler(XMLRPCHandler): |
||
49 | @staticmethod |
||
50 | def escape_dict(result_dict): |
||
51 | for (key, value) in result_dict.items(): |
||
52 | if isinstance(value, timedelta): |
||
53 | result_dict[key] = value.total_seconds() |
||
54 | |||
55 | @staticmethod |
||
56 | def escape_list(result_list): |
||
57 | for (index, item) in enumerate(result_list): |
||
58 | if isinstance(item, timedelta): |
||
59 | result_list[index] = item.total_seconds() |
||
60 | elif isinstance(item, dict): |
||
61 | __class__.escape_dict(item) |
||
0 ignored issues
–
show
Comprehensibility
Best Practice
introduced
by
|
|||
62 | |||
63 | def execute_procedure(self, name, args=None, kwargs=None): |
||
64 | result = super().execute_procedure(name, args, kwargs) |
||
65 | |||
66 | if isinstance(result, timedelta): |
||
67 | result = result.total_seconds() |
||
68 | elif isinstance(result, dict): |
||
69 | self.escape_dict(result) |
||
70 | elif isinstance(result, list): |
||
71 | self.escape_list(result) |
||
72 | |||
73 | return result |
||
74 |