mirror of
https://github.com/DarrenOfficial/dpaste.git
synced 2024-11-15 16:12:51 +11:00
Fixed XSS bug, 'code' lexer syntax were not escaped properly.
This commit is contained in:
parent
9768ab9573
commit
497e5f0c28
1 changed files with 2 additions and 1 deletions
|
@ -4,6 +4,7 @@ from pygments.formatters import HtmlFormatter
|
||||||
|
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.utils.translation import ugettext_lazy as _
|
from django.utils.translation import ugettext_lazy as _
|
||||||
|
from django.template.defaultfilters import escape
|
||||||
|
|
||||||
"""
|
"""
|
||||||
# Get a list of all lexer, and then remove all lexer which have '-' or '+'
|
# Get a list of all lexer, and then remove all lexer which have '-' or '+'
|
||||||
|
@ -121,7 +122,7 @@ class NakedHtmlFormatter(HtmlFormatter):
|
||||||
def pygmentize(code_string, lexer_name=LEXER_DEFAULT):
|
def pygmentize(code_string, lexer_name=LEXER_DEFAULT):
|
||||||
# Plain code is noth hihglighted
|
# Plain code is noth hihglighted
|
||||||
if lexer_name == PLAIN_CODE:
|
if lexer_name == PLAIN_CODE:
|
||||||
return '\n'.join([u'<span class="nn">{}</span>'.format(l)
|
return '\n'.join([u'<span class="nn">{}</span>'.format(escape(l))
|
||||||
for l in code_string.splitlines()])
|
for l in code_string.splitlines()])
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
|
Loading…
Reference in a new issue