summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCalum Lind <calumlind@gmail.com>2018-02-04 21:42:00 +0000
committerCalum Lind <calumlind@gmail.com>2018-02-04 21:42:16 +0000
commita2fcebe15c8d9e238a827896c2d6b91a1274a042 (patch)
tree1e797ca2e74f15f292807343d765342a74c63c32
parentb8e5ebe8220c8365e186127e381a2d2dbaf9e460 (diff)
downloaddeluge-a2fcebe15c8d9e238a827896c2d6b91a1274a042.tar.gz
deluge-a2fcebe15c8d9e238a827896c2d6b91a1274a042.tar.bz2
deluge-a2fcebe15c8d9e238a827896c2d6b91a1274a042.zip
[WebUI] Encode HTML entitiies
Ensure that torrent keys that could contain HTML entities are encoded when displayed in webui.
-rw-r--r--deluge/ui/web/json_api.py27
1 files changed, 25 insertions, 2 deletions
diff --git a/deluge/ui/web/json_api.py b/deluge/ui/web/json_api.py
index 28e177df4..1a2bfa266 100644
--- a/deluge/ui/web/json_api.py
+++ b/deluge/ui/web/json_api.py
@@ -35,6 +35,7 @@
from __future__ import with_statement
+import cgi
import os
import time
import base64
@@ -439,6 +440,13 @@ class WebApi(JSONComponent):
the web interface. The complete web json interface also exposes all the
methods available from the core RPC.
"""
+ XSS_VULN_KEYS = [
+ 'name',
+ 'message',
+ 'comment',
+ 'tracker_status',
+ 'peers'
+ ]
def __init__(self):
super(WebApi, self).__init__("Web", depend=["SessionProxy"])
@@ -594,7 +602,7 @@ class WebApi(JSONComponent):
paths = []
info = {}
for index, torrent_file in enumerate(files):
- path = torrent_file["path"]
+ path = cgi.escape(torrent_file["path"])
paths.append(path)
torrent_file["progress"] = file_progress[index]
torrent_file["priority"] = file_priorities[index]
@@ -631,9 +639,24 @@ class WebApi(JSONComponent):
file_tree.walk(walk)
d.callback(file_tree.get_tree())
+ def _on_torrent_status(self, torrent, d):
+ for key in self.XSS_VULN_KEYS:
+ try:
+ if key == 'peers':
+ for peer in torrent[key]:
+ peer['client'] = cgi.escape(peer['client'])
+ else:
+ torrent[key] = cgi.escape(torrent[key])
+ except KeyError:
+ pass
+ d.callback(torrent)
+
@export
def get_torrent_status(self, torrent_id, keys):
- return component.get("SessionProxy").get_torrent_status(torrent_id, keys)
+ main_deferred = Deferred()
+ d = component.get("SessionProxy").get_torrent_status(torrent_id, keys)
+ d.addCallback(self._on_torrent_status, main_deferred)
+ return main_deferred
@export
def get_torrent_files(self, torrent_id):