Darren/dpaste
1
0
Fork 0
mirror of https://github.com/DarrenOfficial/dpaste.git synced 2024-11-15 08:02:54 +11:00
Code Issues Projects Releases Packages Wiki Activity

Fixed XSS bug, 'code' lexer syntax were not escaped properly.

Browse source
This commit is contained in:
Martin Mahner 2014-08-01 20:56:58 +00:00
parent 9768ab9573
commit 497e5f0c28
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
dpaste/highlight.py
View file

@ -4,6 +4,7 @@ from pygments.formatters import HtmlFormatter
from django.conf import settings
from django.utils.translation import ugettext_lazy as _
from django.template.defaultfilters import escape
"""
# Get a list of all lexer, and then remove all lexer which have '-' or '+'
@ -121,7 +122,7 @@ class NakedHtmlFormatter(HtmlFormatter):
def pygmentize(code_string, lexer_name=LEXER_DEFAULT):
# Plain code is noth hihglighted
if lexer_name == PLAIN_CODE:
return '\n'.join([u'<span class="nn">{}</span>'.format(l)
return '\n'.join([u'<span class="nn">{}</span>'.format(escape(l))
for l in code_string.splitlines()])
try: