In this next small update, I made a few changes to protect against XXS attacks

in the moderation panel.
2013-09-12 18:16:25 -04:00 · 2013-09-12 18:16:25 -04:00 · a02831687a
commit a02831687a
parent c906887025
2 changed files with 29 additions and 34 deletions
--- a/mediagoblin/moderation/tools.py
+++ b/mediagoblin/moderation/tools.py
@ -33,60 +33,57 @@ def take_punitive_actions(request, form, report, user):
            for privilege_name in form.take_away_privileges.data:
                take_away_privileges(user.username, privilege_name)
                form.resolution_content.data += \
-                    u"<br>%s took away %s\'s %s privileges." % (
+                    u"\n{mod} took away {user}\'{privilege} privileges.".format(
-                        request.user.username,
+                        mod=request.user.username,
-                        user.username,
+                        user=user.username,
-                        privilege_name)
+                        privilege=privilege_name)
        # If the moderator elects to ban the user, a new instance of user_ban
        # will be created.
        if u'userban' in form.action_to_resolve.data:
            reason = form.resolution_content.data + \
                "<br>"+request.user.username
            user_ban = ban_user(form.targeted_user.data,
                expiration_date=form.user_banned_until.data,
                reason=form.why_user_was_banned.data)
            Session.add(user_ban)
-
+            form.resolution_content.data += \
-            if form.user_banned_until.data is not None:
+                u"\n{mod} banned user {user} until {expiration_date}.".format(
-                form.resolution_content.data += \
+                    mod=request.user.username,
-                    u"<br>%s banned user %s until %s." % (
+                    user=user.username,
-                    request.user.username,
+                    expiration_date = (
-                    user.username,
+                    "until {date}".format(date=form.user_banned_until.data)
-                    form.user_banned_until.data)
+                        if form.user_banned_until.data
-            else:
+                        else "indefinitely"
-                form.resolution_content.data += \
+                        )
-                    u"<br>%s banned user %s indefinitely." % (
+                )
                    request.user.username,
                    user.username)
        # If the moderator elects to send a warning message. An email will be
        # sent to the email address given at sign up
        if u'sendmessage' in form.action_to_resolve.data:
            message_body = form.message_to_user.data
            form.resolution_content.data += \
-                u"<br>%s sent a warning email to the offender." % (
+                u"\n{mod} sent a warning email to the {user}.".format(
-                    request.user.username)
+                    mod=request.user.username,
                    user=user.username)
        if u'delete' in form.action_to_resolve.data and \
            report.is_comment_report():
                deleted_comment = report.comment
                Session.delete(deleted_comment)
                form.resolution_content.data += \
-                    u"<br>%s deleted the comment." % (
+                    u"\n{mod} deleted the comment.".format(
-                        request.user.username)
+                        mod=request.user.username)
        elif u'delete' in form.action_to_resolve.data and \
            report.is_media_entry_report():
                deleted_media = report.media_entry
                Session.delete(deleted_media)
                form.resolution_content.data += \
-                    u"<br>%s deleted the media entry." % (
+                    u"\n{mod} deleted the media entry.".format(
-                        request.user.username)
+                        mod=request.user.username)
        report.archive(
-            resolver_id=request.user.id, 
+            resolver_id=request.user.id,
-            resolved=datetime.now(), 
+            resolved=datetime.now(),
            result=form.resolution_content.data)
-        
+
        Session.add(report)
        Session.commit()
        if message_body:
--- a/mediagoblin/templates/mediagoblin/moderation/report.html
+++ b/mediagoblin/templates/mediagoblin/moderation/report.html
@ -30,8 +30,7 @@
       title="Return to Reports Panel">
      {% trans %}Return to Reports Panel{% endtrans %}</a>
  <h2>{% trans %}Report{% endtrans %} #{{ report.id }}</h2>
-  {% if report.is_comment_report() or
+  {% if report.comment %}
    (report.is_archived_report() and report.comment) %}
    {% trans %}Reported comment{% endtrans %}:
    {% set comment = report.comment %}
@ -63,8 +62,7 @@
        {% endautoescape %}
      </div>
    </div>
-  {% elif report.is_media_entry_report() or
+  {% elif report.media_entry %}
    (report.is_archived_report() and report.media_entry) %}
    {% set media_entry = report.media_entry %}
    <div class="media_thumbnail">
@ -137,7 +135,7 @@
    init_report_resolution_form();
  });
  </script>
-  {% elif not (report.reported_user.has_privilege('admin')) %}
+  {% elif report.is_archived_report() %}
    <h2><img src="{{ request.staticdirect('/images/icon_clipboard.png') }}"
             alt="Under a GNU LGPL v.3 or Creative Commons BY-SA 3.0 license.
                  Distributed by the GNOME project http://www.gnome.org" />
@ -145,9 +143,9 @@
    </h2>
    <b>{% trans %}RESOLVED{% endtrans %}</b>
    {{ report.resolved.strftime("%I:%M%p %Y-%m-%d") }}
-    {% autoescape False %}
+    <pre>
      <p>{{ report.result }}</p>
-    {% endautoescape %}
+    </pre>
  {% else %}
    <input type=button disabled=disabled value="Resolve This Report"/>
    <p>You cannot take action against an administrator</p>