Darren/dpaste
1
0
Fork 0
mirror of https://github.com/DarrenOfficial/dpaste.git synced 2024-11-15 16:12:51 +11:00
Code Issues Projects Releases Packages Wiki Activity

Fixed XSS bug, 'code' lexer syntax were not escaped properly.

Browse source
This commit is contained in:
Martin Mahner 2014-08-01 20:56:58 +00:00
parent 9768ab9573
commit 497e5f0c28
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
dpaste/highlight.py
View file

@ -4,6 +4,7 @@ from pygments.formatters import HtmlFormatter
from django.conf import settings from django.conf import settings
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.template.defaultfilters import escape
""" """
# Get a list of all lexer, and then remove all lexer which have '-' or '+' # Get a list of all lexer, and then remove all lexer which have '-' or '+'
@ -121,7 +122,7 @@ class NakedHtmlFormatter(HtmlFormatter):
def pygmentize(code_string, lexer_name=LEXER_DEFAULT): def pygmentize(code_string, lexer_name=LEXER_DEFAULT):
# Plain code is noth hihglighted # Plain code is noth hihglighted
if lexer_name == PLAIN_CODE: if lexer_name == PLAIN_CODE:
return '\n'.join([u'<span class="nn">{}</span>'.format(l) return '\n'.join([u'<span class="nn">{}</span>'.format(escape(l))
for l in code_string.splitlines()]) for l in code_string.splitlines()])
try: try: