API Escape (#241)

* chore: add pycaches to gitignore

* fix: correct escaping of api responses

The API did not respond as intended. :D
Co-authored-by: <Brian Ferri brian.ferri19@gmail.com>
This commit is contained in:
Darren Nathanael 2023-11-18 10:34:59 -06:00 committed by GitHub
parent 288e9236d0
commit ef1a5da22a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 6 deletions

1
.gitignore vendored
View file

@ -6,3 +6,4 @@ dpaste/static/
dpaste.egg-info dpaste.egg-info
dpaste.sqlite dpaste.sqlite
node_modules node_modules
**/__pycache__/

View file

@ -13,6 +13,7 @@ from django.http import (
from django.shortcuts import get_object_or_404, render from django.shortcuts import get_object_or_404, render
from django.urls import reverse from django.urls import reverse
from django.utils import timezone from django.utils import timezone
from django.utils.html import escape
from django.utils.cache import add_never_cache_headers, patch_cache_control from django.utils.cache import add_never_cache_headers, patch_cache_control
from django.utils.translation import gettext from django.utils.translation import gettext
from django.views.generic import FormView from django.views.generic import FormView
@ -290,8 +291,7 @@ class APIView(View):
# A lexer is given, check if its valid at all # A lexer is given, check if its valid at all
if lexer and lexer not in highlight.LEXER_KEYS: if lexer and lexer not in highlight.LEXER_KEYS:
return HttpResponseBadRequest( return HttpResponseBadRequest(
'Invalid lexer "%s" given. Valid lexers are: %s' f'Invalid lexer choice "{escape(lexer)}" given. Valid lexer values are: {", ".join(highlight.LEXER_KEYS)}'
% (lexer, ", ".join(highlight.LEXER_KEYS))
) )
# No lexer is given, but we have a filename, try to get the lexer # No lexer is given, but we have a filename, try to get the lexer
@ -308,9 +308,7 @@ class APIView(View):
expire_options = [str(i) for i in dict(config.EXPIRE_CHOICES)] expire_options = [str(i) for i in dict(config.EXPIRE_CHOICES)]
if expires not in expire_options: if expires not in expire_options:
return HttpResponseBadRequest( return HttpResponseBadRequest(
'Invalid expire choice "{}" given. Valid values are: {}'.format( f'Invalid expire choice "{escape(expires)}" given. Valid expire values are: {", ".join(expire_options)}'
expires, ", ".join(expire_options)
)
) )
expires, expire_type = get_expire_values(expires) expires, expire_type = get_expire_values(expires)
else: else:
@ -352,4 +350,4 @@ def handler500(request, template_name="dpaste/500.html"):
context.update(config.extra_template_context) context.update(config.extra_template_context)
response = render(request, template_name, context, status=500) response = render(request, template_name, context, status=500)
add_never_cache_headers(response) add_never_cache_headers(response)
return response return response