[cpif] r196 - trunk/frontend-web

svn at argo.es svn at argo.es
Fri Jun 29 01:33:13 CEST 2007 

Author: alvaro
Date: Fri Jun 29 01:33:12 2007
New Revision: 196

Log:
Mejoras en seguridad.

Mas tests.


Modified:
   trunk/frontend-web/parser_bbcode.py

Modified: trunk/frontend-web/parser_bbcode.py
==============================================================================
--- trunk/frontend-web/parser_bbcode.py	(original)
+++ trunk/frontend-web/parser_bbcode.py	Fri Jun 29 01:33:12 2007
@@ -29,6 +29,12 @@
     "img": ('<img src="%(arg)s" />', None, True)
 }
 
+def escape(text):
+  entities = {'"': '&quot;', "'": "&apos;"}
+  import xml.sax.saxutils
+  return xml.sax.saxutils.escape(text, entities)
+
+
 class BBCodeParser:
   """A BBCode to HTML parser"""
 
@@ -69,7 +75,7 @@
     aux = allowed_tags[tag[0]]
     if not tag[1]:
       aux = allowed_tags.get(tag[0] + "*", aux) # Permitimos tag* que no lleva argumentos y puede ser distinto
-    return aux[0] % {"arg": tag[1].strip('"') if tag[1] else '' }
+    return aux[0] % {"arg": escape(tag[1].strip('"')) if tag[1] else '' }
 
   def _tag_closes(self, tag):
     """Returns true if the tags needs to be closed"""
@@ -95,17 +101,12 @@
         self._stack = []
         sgmllib.SGMLParser.reset(self)
 
-      def escape(self, text):
-        entities = {'"': '&quot;', "'": "&apos;"}
-        import xml.sax.saxutils
-        return xml.sax.saxutils.escape(text, entities)
-
       def do_img(self, attrs):
         if not attrs: raise sgmllib.SGMLParseError, "Error, argumentos para <img> no validos"
         attrs_list = []
         for a, v in attrs:
           if a in allowed_html["img"] and v:
-            attrs_list.append(' %s="%s"' % (a, self.escape(v)))
+            attrs_list.append(' %s="%s"' % (a, escape(v)))
           else:
             raise sgmllib.SGMLParseError, "Error, argumentos para <img> no validos"
         strattrs = "".join(attrs_list)
@@ -125,7 +126,7 @@
           attrs_list = []
           for a, v in attrs:
             if a in allowed_html[tag] and v:
-              attrs_list.append(' %s="%s"' % (a, self.escape(v)))
+              attrs_list.append(' %s="%s"' % (a, escape(v)))
             else:
               raise sgmllib.SGMLParseError, "Error, argumentos para <%s> no validos" % tag
           strattrs = "".join(attrs_list)
@@ -133,7 +134,7 @@
           self._stack.append(tag)
         else:
           strattrs = "".join([' %s="%s"' % (key, value) for key, value in attrs])
-          self.text.append(self.escape("<%(tag)s%(strattrs)s>" % locals()))
+          self.text.append(escape("<%(tag)s%(strattrs)s>" % locals()))
 
       def unknown_endtag(self, tag):         
         if tag in allowed_html.keys():
@@ -143,7 +144,7 @@
           else:
             raise sgmllib.SGMLParseError, "Error, tag <%s> sin abrir" % tag
         else:
-          self.text.append(self.escape("</%(tag)s>" % locals()))
+          self.text.append(escape("</%(tag)s>" % locals()))
 
       def handle_charref(self, ref):         
         self.text.append("&amp;#%(ref)s;" % locals())
@@ -180,6 +181,7 @@
     while self._tags:
       tag = self._tags.pop(0)
       tag = tag.split("=", 1)
+      tag[0] = tag[0].strip()
       if tag[0].startswith("/") and tag[0][1:] in allowed_tags.keys() and stack:
         if tag[0][1:] == stack[-1]:
           self._parsed.append(self._close_tag_to_html(stack.pop(-1)))
@@ -228,6 +230,15 @@
 import unittest
 class TestBBCode(unittest.TestCase):
   correct_bbcode = (
+      ('[ b]hola[/b]', '<strong>hola</strong>'),
+      ('[b ]hola[/b]', '<strong>hola</strong>'),
+      ('[ b ]hola[/b]', '<strong>hola</strong>'),
+
+      ('[b]hola[ /b]', '<strong>hola</strong>'),
+      ('[b]hola[/b ]', '<strong>hola</strong>'),
+      ('[b]hola[ /b ]', '<strong>hola</strong>'),
+
+
       ('[b]hola[/b]', '<strong>hola</strong>'),
       ('antes [b]hola[/b]', 'antes <strong>hola</strong>'),
       ('[b]hola[/b] despues', '<strong>hola</strong> despues'),
@@ -243,9 +254,11 @@
       ('[url="la direccion"]el texto[/url] despues', '<a href="la direccion">el texto</a> despues'),
       ('antes [url="la direccion"]el texto[/url] despues', 'antes <a href="la direccion">el texto</a> despues'),
 
+      ('[url="la direccion"]el texto[/url]', '<a href="la direccion">el texto</a>'),
+
       ('[url=la direccion]el texto[/url]', '<a href="la direccion">el texto</a>'),
       ('antes [url=la direccion]el texto[/url]', 'antes <a href="la direccion">el texto</a>'),
-      ('[url=la direccion]el texto[/url] despues', '<a href="la direccion">el texto</a> despues'),
+      ('[url =la direccion]el texto[/url] despues', '<a href="la direccion">el texto</a> despues'),
       ('antes [url=la direccion]el texto[/url] despues', 'antes <a href="la direccion">el texto</a> despues'),
 
       ('[quote=paco]Hola[/quote]', '<blockquote><h4>paco escribi&oacute;:</h4>Hola</blockquote>'),
@@ -301,6 +314,9 @@
 
   incorrect_bbcode = (
       '[i]bla bla bla [b]hola[/n][/i]',
+      '[b]Ay[/ b ]',
+      '[b]Ay[ / b ]',
+      '[b]Ay[/]',
       '[b]Ay, se me ha olvidado cerrar',
       '[url][/url]',
       '[b][/url]hola[/url]',
@@ -309,6 +325,8 @@
        [/b] e incluso [url="laurl"]enlaces [/b]con negritas[/b] dentro[/url]""")
 
   xss = (
+      """[url="hola'"]adios[/url]""",
+      """[url="hola''"'"'"]adios[/url]""",
       """'';!--"<XSS>=&{()}""",
       """<?pi ?>""",
       """<?php ?>""",

More information about the cpif mailing list