From 44a666a79b3b29ed4f340600bfcf55113bfb7086 Mon Sep 17 00:00:00 2001 From: Darren Date: Sat, 18 Nov 2023 11:32:12 -0500 Subject: [PATCH] fix: correct escaping of api responses The API did not respond as intended. :D Co-authored-by: Brian Ferri brian.ferri19@gmail.com> --- dpaste/views.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/dpaste/views.py b/dpaste/views.py index 2e5fdff..123c12d 100644 --- a/dpaste/views.py +++ b/dpaste/views.py @@ -13,6 +13,7 @@ from django.http import ( from django.shortcuts import get_object_or_404, render from django.urls import reverse from django.utils import timezone +from django.utils.html import escape from django.utils.cache import add_never_cache_headers, patch_cache_control from django.utils.translation import gettext from django.views.generic import FormView @@ -290,8 +291,7 @@ class APIView(View): # A lexer is given, check if its valid at all if lexer and lexer not in highlight.LEXER_KEYS: return HttpResponseBadRequest( - 'Invalid lexer "%s" given. Valid lexers are: %s' - % (lexer, ", ".join(highlight.LEXER_KEYS)) + f'Invalid lexer choice "{escape(lexer)}" given. Valid lexer values are: {", ".join(highlight.LEXER_KEYS)}' ) # No lexer is given, but we have a filename, try to get the lexer @@ -308,9 +308,7 @@ class APIView(View): expire_options = [str(i) for i in dict(config.EXPIRE_CHOICES)] if expires not in expire_options: return HttpResponseBadRequest( - 'Invalid expire choice "{}" given. Valid values are: {}'.format( - expires, ", ".join(expire_options) - ) + f'Invalid expire choice "{escape(expires)}" given. Valid expire values are: {", ".join(expire_options)}' ) expires, expire_type = get_expire_values(expires) else: @@ -352,4 +350,4 @@ def handler500(request, template_name="dpaste/500.html"): context.update(config.extra_template_context) response = render(request, template_name, context, status=500) add_never_cache_headers(response) - return response + return response \ No newline at end of file