From 741754e676a7845990ebf24570cc919a906646cc Mon Sep 17 00:00:00 2001 From: Philip Sargent Date: Tue, 8 Aug 2023 19:23:55 +0300 Subject: [PATCH] some input validation --- core/views/uploads.py | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/core/views/uploads.py b/core/views/uploads.py index 55be212..1ba5cf1 100644 --- a/core/views/uploads.py +++ b/core/views/uploads.py @@ -71,13 +71,23 @@ def logbookedit(request, year=None): return render(request, "errors/generic.html", {"message": message}) else: # validation all to be done yet.. - date = request.POST["date"] # check valid and this year - author = request.POST["author"] # check against personexpedition - others = request.POST["others"] # check each against personexpedition - place = request.POST["place"] # no hyphens ! - title = request.POST["title"] - entry = request.POST["text"] # replace 2 \n or

with

- tu = request.POST["tu"] # check numeric + date = request.POST["date"].strip() # check valid and this year + author = request.POST["author"].strip() # check against personexpedition + others = request.POST["others"].strip() # check each against personexpedition + place = request.POST["place"].strip().replace('-','=') # no hyphens ! + title = request.POST["title"].strip() + entry = request.POST["text"].strip() # get rid of trailing spaces + entry = entry.replace('\r','') # remove HTML-standard CR inserted + entry = entry.replace('\n\n','\n

\n') # replace 2 \n with

+ entry = entry.replace(' tag, even if it has attributes, with

+ entry = entry.replace('
','
') # clean up previous hack + tu = request.POST["tu"].strip() + if tu =="": + tu = 0 + try: + tu = float(tu)/1 # check numeric + except: + tu = 0 seq = 99 # should match the number of entries on this date +1 in the db already # OK this could be done by rendering a template, but for such a small bit of HTML, it is easier to have