use pyramid.compat.escape instead of cgi.escape - backport of #3165 and #3171

Steve Piercy

2017-09-23 e0eda611a5e951acd56884fb48e7a3049821f836

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pyramid.compat import escape
 
from pyramid.httpexceptions import HTTPFound
from pyramid.response import Response
from pyramid.view import view_config
 
 
# First view, available at http://localhost:6543/
@view_config(route_name='home')
def home_view(request):
    return Response('<p>Visit <a href="/howdy?name=lisa">hello</a></p>')
 
 
# /howdy?name=alice which links to the next view
@view_config(route_name='hello')
def hello_view(request):
    name = request.params.get('name', 'No Name')
    body = '<p>Hi %s, this <a href="/goto">redirects</a></p>'
    # pyramid.compat.escape to prevent Cross-Site Scripting (XSS) [CWE 79]
    return Response(body % escape(name))
 
 
# /goto which issues HTTP redirect to the last view
@view_config(route_name='redirect')
def redirect_view(request):
    return HTTPFound(location="/problem")
 
 
# /problem which causes a site error
@view_config(route_name='exception')
def exception_view(request):
    raise Exception()