v3.4.4.5

XSS protect
2019-07-16 14:42:45 +03:00 · 2019-07-16 14:42:45 +03:00 · ba79e7301c
parent c83eb3989a
commit ba79e7301c
4 changed files with 8 additions and 6 deletions
--- a/app/config.py
+++ b/app/config.py
@ -5,7 +5,7 @@ import http.cookies
 import funct
 import sql
 from jinja2 import Environment, FileSystemLoader
-env = Environment(loader=FileSystemLoader('templates/'))
+env = Environment(loader=FileSystemLoader('templates/'), autoescape=True)
 template = env.get_template('config.html')
 print('Content-type: text/html\n')
--- a/app/funct.py
+++ b/app/funct.py
@ -137,7 +137,7 @@ def page_for_admin(**kwargs):
 	give_level = 1
 	give_level = kwargs.get("level")
-	if not is_admin(level = give_level):
+	if not is_admin(level=give_level):
 		print('<center><h3 style="color: red">How did you get here?! O_o You do not have need permissions</h>')
 		print('<meta http-equiv="refresh" content="5; url=/">')
 		import sys
--- a/app/options.py
+++ b/app/options.py
@ -295,7 +295,7 @@ if form.getvalue('servaction') is not None:
 if act == "showCompareConfigs":
 	import glob
 	from jinja2 import Environment, FileSystemLoader
-	env = Environment(loader=FileSystemLoader('templates/ajax'))
+	env = Environment(loader=FileSystemLoader('templates/ajax'), autoescape=True)
 	template = env.get_template('/show_compare_configs.html')
 	left = form.getvalue('left')
 	right = form.getvalue('right')
@ -309,7 +309,7 @@ if serv is not None and form.getvalue('right') is not None:
 	right = form.getvalue('right')
 	hap_configs_dir = funct.get_config_var('configs', 'haproxy_save_configs_dir')
 	cmd='diff -ub %s%s %s%s' % (hap_configs_dir, left, hap_configs_dir, right)	
-	env = Environment(loader=FileSystemLoader('templates/ajax'),extensions=['jinja2.ext.loopcontrols', "jinja2.ext.do"])
+	env = Environment(loader=FileSystemLoader('templates/ajax'), autoescape=True, extensions=['jinja2.ext.loopcontrols', "jinja2.ext.do"])
 	template = env.get_template('compare.html')
 	output, stderr = funct.subprocess_execute(cmd)
@ -329,11 +329,13 @@ if serv is not None and act == "configShow":
 	try:
 		conf = open(cfg, "r")
 		#conf = conf.read()
 		#conf = funct.escape_html(conf)
 	except IOError:
 		print('<div class="alert alert-danger">Can\'t read import config file</div>')
 	from jinja2 import Environment, FileSystemLoader
-	env = Environment(loader=FileSystemLoader('templates/ajax'),extensions=['jinja2.ext.loopcontrols'])
+	env = Environment(loader=FileSystemLoader('templates/ajax'), autoescape=True, extensions=['jinja2.ext.loopcontrols'])
 	template = env.get_template('config_show.html')
 	template = template.render(conf=conf, view=form.getvalue('view'), serv=serv, configver=form.getvalue('configver'), role=funct.is_admin(level=2))											
--- a/app/templates/base.html
+++ b/app/templates/base.html
@ -115,7 +115,7 @@
 					</ul>
 				</nav>
 				<div class="copyright-menu">
-					<a href="https://github.com/aidaho12/haproxy-wi/" title="Github repo" target="_blank" style="color: #fff">HAproxy-WI v3.4.4.4</a>
+					<a href="https://github.com/aidaho12/haproxy-wi/" title="Github repo" target="_blank" style="color: #fff">HAproxy-WI v3.4.4.5</a>
 					<br>
 					<a href="https://www.patreon.com/haproxy_wi" title="Donate" target="_blank" style="color: #fff; margin-left: 30px; color: red;" class="patreon">  Patreon</a>
 				</div>