From a02831687a6026b2baa0f971ecb3e594c3f415e2 Mon Sep 17 00:00:00 2001 From: tilly-Q Date: Thu, 12 Sep 2013 18:16:25 -0400 Subject: [PATCH] In this next small update, I made a few changes to protect against XXS attacks in the moderation panel. --- mediagoblin/moderation/tools.py | 51 +++++++++---------- .../mediagoblin/moderation/report.html | 12 ++--- 2 files changed, 29 insertions(+), 34 deletions(-) diff --git a/mediagoblin/moderation/tools.py b/mediagoblin/moderation/tools.py index 3ba79b38..109f3d8f 100644 --- a/mediagoblin/moderation/tools.py +++ b/mediagoblin/moderation/tools.py @@ -33,60 +33,57 @@ def take_punitive_actions(request, form, report, user): for privilege_name in form.take_away_privileges.data: take_away_privileges(user.username, privilege_name) form.resolution_content.data += \ - u"
%s took away %s\'s %s privileges." % ( - request.user.username, - user.username, - privilege_name) + u"\n{mod} took away {user}\'{privilege} privileges.".format( + mod=request.user.username, + user=user.username, + privilege=privilege_name) # If the moderator elects to ban the user, a new instance of user_ban # will be created. if u'userban' in form.action_to_resolve.data: - reason = form.resolution_content.data + \ - "
"+request.user.username user_ban = ban_user(form.targeted_user.data, expiration_date=form.user_banned_until.data, reason=form.why_user_was_banned.data) Session.add(user_ban) - - if form.user_banned_until.data is not None: - form.resolution_content.data += \ - u"
%s banned user %s until %s." % ( - request.user.username, - user.username, - form.user_banned_until.data) - else: - form.resolution_content.data += \ - u"
%s banned user %s indefinitely." % ( - request.user.username, - user.username) + form.resolution_content.data += \ + u"\n{mod} banned user {user} until {expiration_date}.".format( + mod=request.user.username, + user=user.username, + expiration_date = ( + "until {date}".format(date=form.user_banned_until.data) + if form.user_banned_until.data + else "indefinitely" + ) + ) # If the moderator elects to send a warning message. An email will be # sent to the email address given at sign up if u'sendmessage' in form.action_to_resolve.data: message_body = form.message_to_user.data form.resolution_content.data += \ - u"
%s sent a warning email to the offender." % ( - request.user.username) + u"\n{mod} sent a warning email to the {user}.".format( + mod=request.user.username, + user=user.username) if u'delete' in form.action_to_resolve.data and \ report.is_comment_report(): deleted_comment = report.comment Session.delete(deleted_comment) form.resolution_content.data += \ - u"
%s deleted the comment." % ( - request.user.username) + u"\n{mod} deleted the comment.".format( + mod=request.user.username) elif u'delete' in form.action_to_resolve.data and \ report.is_media_entry_report(): deleted_media = report.media_entry Session.delete(deleted_media) form.resolution_content.data += \ - u"
%s deleted the media entry." % ( - request.user.username) + u"\n{mod} deleted the media entry.".format( + mod=request.user.username) report.archive( - resolver_id=request.user.id, - resolved=datetime.now(), + resolver_id=request.user.id, + resolved=datetime.now(), result=form.resolution_content.data) - + Session.add(report) Session.commit() if message_body: diff --git a/mediagoblin/templates/mediagoblin/moderation/report.html b/mediagoblin/templates/mediagoblin/moderation/report.html index e597b752..062ec24a 100644 --- a/mediagoblin/templates/mediagoblin/moderation/report.html +++ b/mediagoblin/templates/mediagoblin/moderation/report.html @@ -30,8 +30,7 @@ title="Return to Reports Panel"> {% trans %}Return to Reports Panel{% endtrans %}

{% trans %}Report{% endtrans %} #{{ report.id }}

- {% if report.is_comment_report() or - (report.is_archived_report() and report.comment) %} + {% if report.comment %} {% trans %}Reported comment{% endtrans %}: {% set comment = report.comment %} @@ -63,8 +62,7 @@ {% endautoescape %} - {% elif report.is_media_entry_report() or - (report.is_archived_report() and report.media_entry) %} + {% elif report.media_entry %} {% set media_entry = report.media_entry %}
@@ -137,7 +135,7 @@ init_report_resolution_form(); }); - {% elif not (report.reported_user.has_privilege('admin')) %} + {% elif report.is_archived_report() %}

Under a GNU LGPL v.3 or Creative Commons BY-SA 3.0 license. Distributed by the GNOME project http://www.gnome.org @@ -145,9 +143,9 @@

{% trans %}RESOLVED{% endtrans %} {{ report.resolved.strftime("%I:%M%p %Y-%m-%d") }} - {% autoescape False %} + 
       
{{ report.result }}

-    {% endautoescape %}
+
{% else %}

You cannot take action against an administrator

-- 2.25.1