mirror of
https://github.com/DarrenOfficial/dpaste.git
synced 2024-11-15 16:12:51 +11:00
Fixed XSS bug, 'code' lexer syntax were not escaped properly.
This commit is contained in:
parent
9768ab9573
commit
497e5f0c28
1 changed files with 2 additions and 1 deletions
|
@ -4,6 +4,7 @@ from pygments.formatters import HtmlFormatter
|
|||
|
||||
from django.conf import settings
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
from django.template.defaultfilters import escape
|
||||
|
||||
"""
|
||||
# Get a list of all lexer, and then remove all lexer which have '-' or '+'
|
||||
|
@ -121,7 +122,7 @@ class NakedHtmlFormatter(HtmlFormatter):
|
|||
def pygmentize(code_string, lexer_name=LEXER_DEFAULT):
|
||||
# Plain code is noth hihglighted
|
||||
if lexer_name == PLAIN_CODE:
|
||||
return '\n'.join([u'<span class="nn">{}</span>'.format(l)
|
||||
return '\n'.join([u'<span class="nn">{}</span>'.format(escape(l))
|
||||
for l in code_string.splitlines()])
|
||||
|
||||
try:
|
||||
|
|
Loading…
Reference in a new issue