fix(security): fix ssti, xss
This commit is contained in:
parent
b7f9dfdbe6
commit
6f018c97d4
47
app.py
47
app.py
|
@ -1,54 +1,75 @@
|
|||
from flask import Flask, render_template, request, redirect, url_for, make_response, Markup
|
||||
from flask import Flask, render_template, request, redirect, url_for, \
|
||||
make_response, Markup
|
||||
from enum import Enum
|
||||
from bs4 import BeautifulSoup
|
||||
|
||||
app = Flask('ui', static_url_path="/static")
|
||||
app.config['TEMPLATES_AUTO_RELOAD'] = True
|
||||
|
||||
|
||||
class Status(Enum):
|
||||
ERREUR_LIEN = "Le lien doit être en http ou https !",
|
||||
ERREUR_LIEN = "Le lien doit être en http ou https !"
|
||||
BON = "Lien ajouté !"
|
||||
|
||||
|
||||
def ecritureFichierHtml(nouvLien, cheminFichier):
|
||||
with open(cheminFichier, 'r') as file:
|
||||
with open(cheminFichier, 'r+') as file:
|
||||
soup = BeautifulSoup(file, 'html.parser')
|
||||
soup.find("hr").insert_after("", nouvLien)
|
||||
with open(cheminFichier, 'w') as file:
|
||||
soup.find("div", {'id': 'liens'}).append(nouvLien)
|
||||
file.seek(0)
|
||||
file.write(soup.prettify())
|
||||
|
||||
|
||||
@app.route('/')
|
||||
def slash():
|
||||
response = make_response(render_template("index.html"))
|
||||
response.headers["Content-Security-Policy"] = "default-src 'self'"
|
||||
return response
|
||||
|
||||
|
||||
@app.route("/ajout")
|
||||
def ajout():
|
||||
return render_template("ajout.html")
|
||||
|
||||
|
||||
@app.route("/apropos")
|
||||
def apropos():
|
||||
return render_template("apropos.html")
|
||||
|
||||
|
||||
@app.route("/bizutage", methods=["GET"])
|
||||
def bizutage_redirect():
|
||||
return redirect('/')
|
||||
|
||||
|
||||
@app.route("/bizutage", methods=["POST"])
|
||||
def bizutage():
|
||||
if request.method == "POST":
|
||||
lien = request.values['lien']
|
||||
lien = request.values['lien'].lower()
|
||||
if not (lien.startswith("http") or lien.startswith("https")):
|
||||
return render_template("ajout.html", erreur=Status.ERREUR_LIEN.value)
|
||||
return render_template(
|
||||
"ajout.html",
|
||||
erreur=Status.ERREUR_LIEN.value
|
||||
)
|
||||
|
||||
titre = Markup.escape(request.values['titre'])
|
||||
desc = Markup.escape(request.values['desc'])
|
||||
nouvLien = "<div class=\"elem\"><h2>{}</h2><p><a href=\"{}\">Lien</a></p><hr><p>{}</p>".format(titre, lien, desc)
|
||||
nouvLienHtml = BeautifulSoup(nouvLien, "html.parser")
|
||||
nouvLienHtmlJinja = BeautifulSoup("{% raw %}" + nouvLien + "{% endraw %}", "html.parser")
|
||||
|
||||
ecritureFichierHtml(nouvLienHtmlJinja, "templates/index.html")
|
||||
ecritureFichierHtml(nouvLienHtml, "lite/index.html")
|
||||
nouvLien = f"""
|
||||
<div class="elem">
|
||||
<h2>{titre}</h2>
|
||||
<p><a href="{lien}">Lien</a></p>
|
||||
<hr>
|
||||
<p>{desc}</p>
|
||||
</div>"""
|
||||
nouvLienHtml = BeautifulSoup(nouvLien, "html.parser") \
|
||||
.find("div", {"class": "elem"})
|
||||
ecritureFichierHtml(nouvLienHtml, "templates/index.html")
|
||||
|
||||
else:
|
||||
print("error")
|
||||
return render_template("ajout.html", reussi=Status.BON.value)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
app.run()
|
||||
app.run(debug=True)
|
||||
|
|
|
@ -1,24 +1,37 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="fr">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" href="/static/styles/index.css">
|
||||
<link rel="stylesheet" href="/static/styles/base.css">
|
||||
<title>Partage de liens</title>
|
||||
<meta charset="utf-8"/>
|
||||
<link href="/static/styles/index.css" rel="stylesheet"/>
|
||||
<link href="/static/styles/base.css" rel="stylesheet"/>
|
||||
<title>
|
||||
Partage de liens
|
||||
</title>
|
||||
</head>
|
||||
<body>
|
||||
<div id="menu">
|
||||
<div id="menu">
|
||||
<h1>Liens</h1>
|
||||
<header>
|
||||
<a href="ajout">Ajout</a>
|
||||
<a href="apropos">A propos</a>
|
||||
</header>
|
||||
</div>
|
||||
<hr>
|
||||
|
||||
<footer>
|
||||
<hr>
|
||||
<header>
|
||||
<a href="ajout">
|
||||
Ajout
|
||||
</a>
|
||||
<a href="apropos">
|
||||
A propos
|
||||
</a>
|
||||
</header>
|
||||
</div>
|
||||
|
||||
<hr/>
|
||||
|
||||
{% raw %}
|
||||
<div id="liens"></div>
|
||||
{% endraw %}
|
||||
|
||||
<hr/>
|
||||
|
||||
<footer>
|
||||
Version Alpha
|
||||
</footer>
|
||||
</footer>
|
||||
</body>
|
||||
</html>
|
||||
|
|
Loading…
Reference in a new issue