[Pkg-privacy-commits] [onionshare] 16/256: Replaced sanitize_html() function that was based on regex with python3's html.escape()

Ulrike Uhlig ulrike at moszumanska.debian.org
Fri May 26 12:53:03 UTC 2017 

This is an automated email from the git hooks/post-receive script.

ulrike pushed a commit to branch master
in repository onionshare.

commit cff11cd7e48fe4e94ef484ba1f1095362330452d
Author: Micah Lee <micah at micahflee.com>
Date:   Wed Dec 21 22:56:15 2016 -0800

    Replaced sanitize_html() function that was based on regex with python3's html.escape()
---
 onionshare/web.py | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/onionshare/web.py b/onionshare/web.py
index 32deaa9..170775e 100644
--- a/onionshare/web.py
+++ b/onionshare/web.py
@@ -17,7 +17,7 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
-import queue, mimetypes, platform, os, sys, socket, logging, re
+import queue, mimetypes, platform, os, sys, socket, logging, html
 from urllib.request import urlopen
 from flask import Flask, Response, request, render_template_string, abort
 
@@ -30,18 +30,6 @@ file_info = []
 zip_filename = None
 zip_filesize = None
 
-def sanitize_html(basename):
-    """
-    Takes a string, called basename, and removes any HTML that could be in the
-    string. If the resulting string is empty, return the string 'file', which
-    is not ideal, but better than embedded HTML that could run JS.
-    """
-    html_regex = re.compile('<.*?>')
-    sanitized_name = re.sub(html_regex , '', basename)
-    if sanitized_name == '':
-        sanitized_name = 'file'
-    return sanitized_name
-
 def set_file_info(filenames):
     """
     Using the list of filenames being shared, fill in details that the web
@@ -54,7 +42,7 @@ def set_file_info(filenames):
     file_info = {'files': [], 'dirs': []}
     for filename in filenames:
         # strips trailing '/' and sanitizes filename
-        basename = sanitize_html(os.path.basename(filename.rstrip('/')))
+        basename = html.escape(os.path.basename(filename.rstrip('/')))
         info = {
             'filename': filename,
             'basename': basename

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/onionshare.git

More information about the Pkg-privacy-commits mailing list