view MoinMoin/parser/text_html.py @ 5910:7e7e1cbb9d3f

security: fix remote code execution vulnerability in twikidraw/anywikidraw actions We have wikiutil.taintfilename() to make user supplied filenames safe, so that they can't contain any "special" characters like path separators, etc. It is used at many places in moin, but wasn't used here. :|
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 29 Dec 2012 15:05:29 +0100
parents ff39884957af
children
line wrap: on
line source
# -*- coding: iso-8859-1 -*-
"""
    MoinMoin - HTML Parser

    @copyright: 2006 MoinMoin:AlexanderSchremmer
    @license: GNU GPL, see COPYING for details.
"""

from MoinMoin.support.htmlmarkup import Markup
from HTMLParser import HTMLParseError

Dependencies = []

class Parser:
    """
        Sends HTML code after filtering it.
    """

    extensions = ['.htm', '.html']
    Dependencies = Dependencies

    def __init__(self, raw, request, **kw):
        self.raw = raw
        self.request = request

    def format(self, formatter, **kw):
        """ Send the text. """
        try:
            self.request.write(formatter.rawHTML(Markup(self.raw).sanitize()))
        except HTMLParseError, e:
            self.request.write(formatter.sysmsg(1) +
                formatter.text(u'HTML parsing error: %s in "%s"' % (e.msg,
                                  self.raw.splitlines()[e.lineno - 1].strip())) +
                formatter.sysmsg(0))