From b7f9dfdbe6123d8e270267b410fbad9ab567a0dd Mon Sep 17 00:00:00 2001
From: Rick <rick@gnous.eu>
Date: Sun, 27 Sep 2020 22:10:29 +0200
Subject: [PATCH] =?UTF-8?q?Patch=20de=20toutes=20les=20failles=20de=20la?=
 =?UTF-8?q?=20premi=C3=A8re=20issue,=20close=20#1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Rick <rick@gnous.eu>
---
 app.py | 43 ++++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/app.py b/app.py
index 2c49026..a60e6d7 100644
--- a/app.py
+++ b/app.py
@@ -1,10 +1,21 @@
-from flask import Flask, render_template, request, redirect, url_for, make_response
-from os import path
+from flask import Flask, render_template, request, redirect, url_for, make_response, Markup
+from enum import Enum
 from bs4 import BeautifulSoup
 
 app = Flask('ui', static_url_path="/static")
 app.config['TEMPLATES_AUTO_RELOAD'] = True
 
+class Status(Enum):
+    ERREUR_LIEN = "Le lien doit être en http ou https !",
+    BON = "Lien ajouté !"
+
+def ecritureFichierHtml(nouvLien, cheminFichier):
+    with open(cheminFichier, 'r') as file:
+        soup = BeautifulSoup(file, 'html.parser')
+        soup.find("hr").insert_after("", nouvLien)
+    with open(cheminFichier, 'w') as file:
+        file.write(soup.prettify())
+
 @app.route('/')
 def slash():
     response = make_response(render_template("index.html"))
@@ -22,32 +33,22 @@ def apropos():
 @app.route("/bizutage", methods=["POST"])
 def bizutage():
     if request.method == "POST":
-        titre = request.values['titre'] 
         lien = request.values['lien'] 
-        desc = request.values['desc'] 
+        if not (lien.startswith("http") or lien.startswith("https")):
+            return render_template("ajout.html", erreur=Status.ERREUR_LIEN.value)
+
+        titre = Markup.escape(request.values['titre'])
+        desc = Markup.escape(request.values['desc'])
         nouvLien = "<div class=\"elem\"><h2>{}</h2><p><a href=\"{}\">Lien</a></p><hr><p>{}</p>".format(titre, lien, desc)
         nouvLienHtml = BeautifulSoup(nouvLien, "html.parser")
+        nouvLienHtmlJinja = BeautifulSoup("{% raw %}" + nouvLien + "{% endraw %}", "html.parser")
 
-        if nouvLienHtml.find("script") != None:
-            erreur = "Vous ne pouvez pas charger de balises script !"
-            return render_template("ajout.html", erreur=erreur)
+        ecritureFichierHtml(nouvLienHtmlJinja, "templates/index.html")
+        ecritureFichierHtml(nouvLienHtml, "lite/index.html")
 
-        with open("templates/index.html", 'r') as file:
-            soup = BeautifulSoup(file, 'html.parser')
-            soup.find("hr").insert_after("", nouvLienHtml)
-        with open("templates/index.html", 'w') as file:
-            file.write(soup.prettify())
-
-        with open("lite/index.html", 'r') as file:
-            soup = BeautifulSoup(file, 'html.parser')
-            soup.find("hr").insert_after("", nouvLienHtml)
-        with open("lite/index.html", 'w') as file:
-            file.write(soup.prettify())
-
-        reussite = "Lien ajouté !"
     else:
         print("error")
-    return render_template("ajout.html", reussi=reussite)
+    return render_template("ajout.html", reussi=Status.BON.value)
 
 if __name__ == "__main__":
     app.run()