From a24b4a77627824030b926265d305d27926382f25 Mon Sep 17 00:00:00 2001 From: Micah Lee Date: Wed, 21 Dec 2016 22:56:15 -0800 Subject: [PATCH] Replaced sanitize_html() function that was based on regex with python3's html.escape() --- onionshare/web.py | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/onionshare/web.py b/onionshare/web.py index 32deaa97..170775e9 100644 --- a/onionshare/web.py +++ b/onionshare/web.py @@ -17,7 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ -import queue, mimetypes, platform, os, sys, socket, logging, re +import queue, mimetypes, platform, os, sys, socket, logging, html from urllib.request import urlopen from flask import Flask, Response, request, render_template_string, abort @@ -30,18 +30,6 @@ file_info = [] zip_filename = None zip_filesize = None -def sanitize_html(basename): - """ - Takes a string, called basename, and removes any HTML that could be in the - string. If the resulting string is empty, return the string 'file', which - is not ideal, but better than embedded HTML that could run JS. - """ - html_regex = re.compile('<.*?>') - sanitized_name = re.sub(html_regex , '', basename) - if sanitized_name == '': - sanitized_name = 'file' - return sanitized_name - def set_file_info(filenames): """ Using the list of filenames being shared, fill in details that the web @@ -54,7 +42,7 @@ def set_file_info(filenames): file_info = {'files': [], 'dirs': []} for filename in filenames: # strips trailing '/' and sanitizes filename - basename = sanitize_html(os.path.basename(filename.rstrip('/'))) + basename = html.escape(os.path.basename(filename.rstrip('/'))) info = { 'filename': filename, 'basename': basename