diff --git a/lib/hawat/blueprints/dbstatus/__init__.py b/lib/hawat/blueprints/dbstatus/__init__.py
index 566a228c523cae6e184504ddf44fb786e4c8c1f5..18fde464de37abcae4a62e7d54757d2283bb3f7f 100644
--- a/lib/hawat/blueprints/dbstatus/__init__.py
+++ b/lib/hawat/blueprints/dbstatus/__init__.py
@@ -316,21 +316,21 @@ class AbstractQueryStopView(PsycopgMixin, RenderableView): # pylint: disable=lo
def get_message_success(**kwargs):
return gettext(
'Query <strong>%(item_id)s</strong> was successfully stopped.',
- item_id = str(kwargs['item']['query_name'])
+ item_id = flask.escape(str(kwargs['item']['query_name']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to stop query <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item']['query_name'])
+ item_id = flask.escape(str(kwargs['item']['query_name']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled stopping query <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item']['query_name'])
+ item_id = flask.escape(str(kwargs['item']['query_name']))
)
def get_url_next(self):
@@ -560,7 +560,7 @@ class DashboardView(HTMLMixin, SQLAlchemyMixin, SimpleView): # pylint: disable=
'show',
endpoint = 'users.show',
hidetitle = True,
- legend = lambda **x: lazy_gettext('View details of user account "%(item)s"', item = x['item'].login)
+ legend = lambda **x: lazy_gettext('View details of user account "%(item)s"', item = flask.escape(x['item'].login))
)
action_menu.add_entry(
'submenu',
@@ -571,28 +571,28 @@ class DashboardView(HTMLMixin, SQLAlchemyMixin, SimpleView): # pylint: disable=
'endpoint',
'more.update',
endpoint = 'users.update',
- legend = lambda **x: lazy_gettext('Update details of user account "%(item)s"', item = x['item'].login)
+ legend = lambda **x: lazy_gettext('Update details of user account "%(item)s"', item = flask.escape(x['item'].login))
)
action_menu.add_entry(
'endpoint',
'more.disable',
endpoint = 'users.disable',
icon = 'action-disable-user',
- legend = lambda **x: lazy_gettext('Disable user account "%(item)s"', item = x['item'].login)
+ legend = lambda **x: lazy_gettext('Disable user account "%(item)s"', item = flask.escape(x['item'].login))
)
action_menu.add_entry(
'endpoint',
'more.enable',
endpoint = 'users.enable',
icon = 'action-enable-user',
- legend = lambda **x: lazy_gettext('Enable user account "%(item)s"', item = x['item'].login)
+ legend = lambda **x: lazy_gettext('Enable user account "%(item)s"', item = flask.escape(x['item'].login))
)
action_menu.add_entry(
'endpoint',
'more.delete',
endpoint = 'users.delete',
icon = 'action-delete-user',
- legend = lambda **x: lazy_gettext('Delete user account "%(item)s"', item = x['item'].login)
+ legend = lambda **x: lazy_gettext('Delete user account "%(item)s"', item = flask.escape(x['item'].login))
)
self.response_context['context_action_menu_user'] = action_menu
@@ -602,7 +602,7 @@ class DashboardView(HTMLMixin, SQLAlchemyMixin, SimpleView): # pylint: disable=
'show',
endpoint = 'groups.show',
hidetitle = True,
- legend = lambda **x: lazy_gettext('View details of group "%(item)s"', item = str(x['item']))
+ legend = lambda **x: lazy_gettext('View details of group "%(item)s"', item = flask.escape(str(x['item'])))
)
action_menu.add_entry(
'submenu',
@@ -613,25 +613,25 @@ class DashboardView(HTMLMixin, SQLAlchemyMixin, SimpleView): # pylint: disable=
'endpoint',
'more.update',
endpoint = 'groups.update',
- legend = lambda **x: lazy_gettext('Update details of group "%(item)s"', item = str(x['item']))
+ legend = lambda **x: lazy_gettext('Update details of group "%(item)s"', item = flask.escape(str(x['item'])))
)
action_menu.add_entry(
'endpoint',
'more.disable',
endpoint = 'groups.disable',
- legend = lambda **x: lazy_gettext('Disable group "%(item)s"', item = str(x['item']))
+ legend = lambda **x: lazy_gettext('Disable group "%(item)s"', item = flask.escape(str(x['item'])))
)
action_menu.add_entry(
'endpoint',
'more.enable',
endpoint = 'groups.enable',
- legend = lambda **x: lazy_gettext('Enable group "%(item)s"', item = str(x['item']))
+ legend = lambda **x: lazy_gettext('Enable group "%(item)s"', item = flask.escape(str(x['item'])))
)
action_menu.add_entry(
'endpoint',
'more.delete',
endpoint = 'groups.delete',
- legend = lambda **x: lazy_gettext('Delete group "%(item)s"', item = str(x['item']))
+ legend = lambda **x: lazy_gettext('Delete group "%(item)s"', item = flask.escape(str(x['item'])))
)
self.response_context['context_action_menu_group'] = action_menu
@@ -641,7 +641,7 @@ class DashboardView(HTMLMixin, SQLAlchemyMixin, SimpleView): # pylint: disable=
'show',
endpoint = 'filters.show',
hidetitle = True,
- legend = lambda **x: lazy_gettext('View details of reporting filter "%(item)s"', item = x['item'].name)
+ legend = lambda **x: lazy_gettext('View details of reporting filter "%(item)s"', item = flask.escape(x['item'].name))
)
action_menu.add_entry(
'submenu',
@@ -652,25 +652,25 @@ class DashboardView(HTMLMixin, SQLAlchemyMixin, SimpleView): # pylint: disable=
'endpoint',
'more.update',
endpoint = 'filters.update',
- legend = lambda **x: lazy_gettext('Update details of reporting filter "%(item)s"', item = x['item'].name)
+ legend = lambda **x: lazy_gettext('Update details of reporting filter "%(item)s"', item = flask.escape(x['item'].name))
)
action_menu.add_entry(
'endpoint',
'more.disable',
endpoint = 'filters.disable',
- legend = lambda **x: lazy_gettext('Disable reporting filter "%(item)s"', item = x['item'].name)
+ legend = lambda **x: lazy_gettext('Disable reporting filter "%(item)s"', item = flask.escape(x['item'].name))
)
action_menu.add_entry(
'endpoint',
'more.enable',
endpoint = 'filters.enable',
- legend = lambda **x: lazy_gettext('Enable reporting filter "%(item)s"', item = x['item'].name)
+ legend = lambda **x: lazy_gettext('Enable reporting filter "%(item)s"', item = flask.escape(x['item'].name))
)
action_menu.add_entry(
'endpoint',
'more.delete',
endpoint = 'filters.delete',
- legend = lambda **x: lazy_gettext('Delete reporting filter "%(item)s"', item = x['item'].name)
+ legend = lambda **x: lazy_gettext('Delete reporting filter "%(item)s"', item = flask.escape(x['item'].name))
)
self.response_context['context_action_menu_filter'] = action_menu
diff --git a/lib/hawat/blueprints/events/__init__.py b/lib/hawat/blueprints/events/__init__.py
index 08a347c3a50d42cb01dba61c0b0d5aafbb0d4e4c..c91eafd1dda05730d933a3a49fe0ad999d51782d 100644
--- a/lib/hawat/blueprints/events/__init__.py
+++ b/lib/hawat/blueprints/events/__init__.py
@@ -184,7 +184,10 @@ class AbstractShowView(PsycopgMixin, ItemShowView): # pylint: disable=locally-d
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('View details of event "%(item)s"', item = kwargs['item'].get_id())
+ return lazy_gettext(
+ 'View details of event "%(item)s"',
+ item = flask.escape(kwargs['item'].get_id())
+ )
class ShowView(HTMLMixin, AbstractShowView): # pylint: disable=locally-disabled,too-many-ancestors
@@ -239,7 +242,10 @@ class DownloadView(PsycopgMixin, BaseView):
@classmethod
def get_view_url(cls, **kwargs):
- return flask.url_for(cls.get_view_endpoint(), item_id = kwargs['item'].get_id())
+ return flask.url_for(
+ cls.get_view_endpoint(),
+ item_id = kwargs['item'].get_id()
+ )
@classmethod
def get_menu_title(cls, **kwargs):
@@ -247,7 +253,10 @@ class DownloadView(PsycopgMixin, BaseView):
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Download event "%(item)s"', item = kwargs['item'].get_id())
+ return lazy_gettext(
+ 'Download event "%(item)s"',
+ item = flask.escape(kwargs['item'].get_id())
+ )
#---------------------------------------------------------------------------
diff --git a/lib/hawat/blueprints/filters/__init__.py b/lib/hawat/blueprints/filters/__init__.py
index 0a8f795d6aeb70501e50e1d620fc5666d22c469a..f164982aaf6eebfe444b3a8389b6b054731de43a 100644
--- a/lib/hawat/blueprints/filters/__init__.py
+++ b/lib/hawat/blueprints/filters/__init__.py
@@ -209,7 +209,7 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'View details of reporting filter "%(item)s"',
- item = kwargs['item'].name
+ item = flask.escape(kwargs['item'].name)
)
@classmethod
@@ -271,7 +271,9 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
if self.can_access_endpoint('filters.update', item = item) and self.has_endpoint('changelogs.search'):
self.response_context.update(
- context_action_menu_changelogs = self.get_endpoint_class('changelogs.search').get_context_action_menu()
+ context_action_menu_changelogs = self.get_endpoint_class(
+ 'changelogs.search'
+ ).get_context_action_menu()
)
item_changelog = self.dbsession.query(ItemChangeLogModel).\
@@ -315,22 +317,22 @@ class CreateView(HTMLMixin, SQLAlchemyMixin, ItemCreateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully created.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to create new reporting filter for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['item'].group)
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled creating new reporting filter for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['item'].group)
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
@@ -378,7 +380,7 @@ class CreateForView(HTMLMixin, SQLAlchemyMixin, ItemCreateForView): # pylint: d
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Create reporting filter for group "%(item)s"',
- item = str(kwargs['item'])
+ item = flask.escape(str(kwargs['item']))
)
@classmethod
@@ -415,22 +417,22 @@ class CreateForView(HTMLMixin, SQLAlchemyMixin, ItemCreateForView): # pylint: d
def get_message_success(**kwargs):
return gettext(
'Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully created.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['parent'])
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['parent']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to create new reporting filter for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['parent'])
+ parent_id = flask.escape(str(kwargs['parent']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled creating new reporting filter for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['parent'])
+ parent_id = flask.escape(str(kwargs['parent']))
)
@staticmethod
@@ -470,7 +472,10 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Update details of reporting filter "%(item)s"', item = kwargs['item'].name)
+ return lazy_gettext(
+ 'Update details of reporting filter "%(item)s"',
+ item = flask.escape(kwargs['item'].name)
+ )
@classmethod
def get_view_title(cls, **kwargs):
@@ -495,24 +500,24 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully updated.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to update reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled updating reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
@@ -556,7 +561,10 @@ class EnableView(HTMLMixin, SQLAlchemyMixin, ItemEnableView): # pylint: disable
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Enable reporting filter "%(item)s"', item = kwargs['item'].name)
+ return lazy_gettext(
+ 'Enable reporting filter "%(item)s"',
+ item = flask.escape(kwargs['item'].name)
+ )
@property
def dbmodel(self):
@@ -575,15 +583,27 @@ class EnableView(HTMLMixin, SQLAlchemyMixin, ItemEnableView): # pylint: disable
@staticmethod
def get_message_success(**kwargs):
- return gettext('Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully enabled.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully enabled.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
@staticmethod
def get_message_failure(**kwargs):
- return gettext('Unable to enable reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Unable to enable reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
@staticmethod
def get_message_cancel(**kwargs):
- return gettext('Canceled enabling reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Canceled enabling reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
class DisableView(HTMLMixin, SQLAlchemyMixin, ItemDisableView): # pylint: disable=locally-disabled,too-many-ancestors
@@ -596,7 +616,10 @@ class DisableView(HTMLMixin, SQLAlchemyMixin, ItemDisableView): # pylint: disab
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Disable reporting filter "%(item)s"', item = kwargs['item'].name)
+ return lazy_gettext(
+ 'Disable reporting filter "%(item)s"',
+ item = flask.escape(kwargs['item'].name)
+ )
#---------------------------------------------------------------------------
@@ -617,15 +640,27 @@ class DisableView(HTMLMixin, SQLAlchemyMixin, ItemDisableView): # pylint: disab
@staticmethod
def get_message_success(**kwargs):
- return gettext('Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully disabled.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully disabled.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
@staticmethod
def get_message_failure(**kwargs):
- return gettext('Unable to disable reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Unable to disable reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
@staticmethod
def get_message_cancel(**kwargs):
- return gettext('Canceled disabling reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Canceled disabling reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable=locally-disabled,too-many-ancestors
@@ -638,7 +673,10 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Delete reporting filter "%(item)s"', item = kwargs['item'].name)
+ return lazy_gettext(
+ 'Delete reporting filter "%(item)s"',
+ item = flask.escape(kwargs['item'].name)
+ )
@property
def dbmodel(self):
@@ -657,15 +695,27 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
@staticmethod
def get_message_success(**kwargs):
- return gettext('Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully and permanently deleted.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully and permanently deleted.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
@staticmethod
def get_message_failure(**kwargs):
- return gettext('Unable to permanently delete reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Unable to permanently delete reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
@staticmethod
def get_message_cancel(**kwargs):
- return gettext('Canceled deleting reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.', item_id = str(kwargs['item']), parent_id = str(kwargs['item'].group))
+ return gettext(
+ 'Canceled deleting reporting filter <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
+ )
class PlaygroundView(HTMLMixin, RenderableView):
diff --git a/lib/hawat/blueprints/groups/__init__.py b/lib/hawat/blueprints/groups/__init__.py
index 5aad59b05253d9b0ab0a19ef48a3c01893b61069..42a2a42bf58e633bad39cd95a35bd37b9b71cd92 100644
--- a/lib/hawat/blueprints/groups/__init__.py
+++ b/lib/hawat/blueprints/groups/__init__.py
@@ -118,7 +118,9 @@ class ShowView(vial.blueprints.groups.ShowView):
item = self.response_context['item']
if self.can_access_endpoint('groups.update', item = item) and self.has_endpoint('changelogs.search'):
self.response_context.update(
- context_action_menu_changelogs = self.get_endpoint_class('changelogs.search').get_context_action_menu()
+ context_action_menu_changelogs = self.get_endpoint_class(
+ 'changelogs.search'
+ ).get_context_action_menu()
)
item_changelog = self.dbsession.query(ItemChangeLogModel).\
diff --git a/lib/hawat/blueprints/networks/__init__.py b/lib/hawat/blueprints/networks/__init__.py
index 14c11a750f8d78b836eafe1ae4b4130c696dc60a..67b454eec03d3623e4fbafd35870b0bce3725482 100644
--- a/lib/hawat/blueprints/networks/__init__.py
+++ b/lib/hawat/blueprints/networks/__init__.py
@@ -107,7 +107,7 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'View details of network record "%(item)s"',
- item = kwargs['item'].netname
+ item = flask.escape(kwargs['item'].netname)
)
@classmethod
@@ -147,7 +147,9 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
item = self.response_context['item']
if self.can_access_endpoint('networks.update', item = item) and self.has_endpoint('changelogs.search'):
self.response_context.update(
- context_action_menu_changelogs = self.get_endpoint_class('changelogs.search').get_context_action_menu()
+ context_action_menu_changelogs = self.get_endpoint_class(
+ 'changelogs.search'
+ ).get_context_action_menu()
)
item_changelog = self.dbsession.query(ItemChangeLogModel).\
@@ -191,22 +193,22 @@ class CreateView(HTMLMixin, SQLAlchemyMixin, ItemCreateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Network record <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully created.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to create new network record for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['item'].group)
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled creating new network record for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['item'].group)
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
@@ -236,7 +238,7 @@ class CreateForView(HTMLMixin, SQLAlchemyMixin, ItemCreateForView): # pylint: d
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Create network record for group "%(item)s"',
- item = str(kwargs['item'])
+ item = flask.escape(str(kwargs['item']))
)
@classmethod
@@ -273,22 +275,22 @@ class CreateForView(HTMLMixin, SQLAlchemyMixin, ItemCreateForView): # pylint: d
def get_message_success(**kwargs):
return gettext(
'Network record <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully created.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['parent'])
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['parent']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to create new network record for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['parent'])
+ parent_id = flask.escape(str(kwargs['parent']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled creating new network record for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['parent'])
+ parent_id = flask.escape(str(kwargs['parent']))
)
@staticmethod
@@ -312,7 +314,7 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Update details of network record "%(item)s"',
- item = kwargs['item'].netname
+ item = flask.escape(kwargs['item'].netname)
)
@classmethod
@@ -338,24 +340,24 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Network record <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully updated.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to update network record <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled updating network record <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
@@ -377,7 +379,10 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Delete network record "%(item)s"', item = kwargs['item'].netname)
+ return lazy_gettext(
+ 'Delete network record "%(item)s"',
+ item = flask.escape(kwargs['item'].netname)
+ )
@property
def dbmodel(self):
@@ -398,24 +403,24 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Network record <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> was successfully and permanently deleted.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to permanently delete network record <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled deleting network record <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
diff --git a/lib/hawat/blueprints/reports/__init__.py b/lib/hawat/blueprints/reports/__init__.py
index 0def3df2d2991fcde817262883f80301ed1fa483..d430d6736f3bdfd97258a0d0a3ae4b818aa1e626 100644
--- a/lib/hawat/blueprints/reports/__init__.py
+++ b/lib/hawat/blueprints/reports/__init__.py
@@ -173,7 +173,7 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'View details of event report "%(item)s"',
- item = str(kwargs['item'])
+ item = flask.escape(str(kwargs['item']))
)
@classmethod
@@ -220,7 +220,7 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
'search',
endpoint = 'events.search',
title = lazy_gettext('Search'),
- legend = lambda **x: lazy_gettext('Search for all events related to report "%(item)s"', item = x['item'].label),
+ legend = lambda **x: lazy_gettext('Search for all events related to report "%(item)s"', item = flask.escape(x['item'].label)),
url = lambda **x: flask.url_for('events.search', **build_related_search_params(x['item']))
)
action_menu.add_entry(
@@ -475,10 +475,15 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Delete event report "%(item)s"', item = str(kwargs['item']))
+ return lazy_gettext(
+ 'Delete event report "%(item)s"',
+ item = flask.escape(str(kwargs['item']))
+ )
def get_url_next(self):
- return flask.url_for('{}.{}'.format(self.module_name, 'search'))
+ return flask.url_for(
+ '{}.{}'.format(self.module_name, 'search')
+ )
@property
def dbmodel(self):
@@ -492,21 +497,21 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Event report <strong>%(item_id)s</strong> was successfully and permanently deleted.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to delete event report <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled deleting event report <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
diff --git a/lib/hawat/blueprints/settings_reporting/__init__.py b/lib/hawat/blueprints/settings_reporting/__init__.py
index 4383102d7e464272525fade551f99561d4502e07..46bbacf5d4bec1580741c8f853ffb826ea353b66 100644
--- a/lib/hawat/blueprints/settings_reporting/__init__.py
+++ b/lib/hawat/blueprints/settings_reporting/__init__.py
@@ -124,7 +124,9 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
if self.can_access_endpoint('settings_reporting.update', item = item) and self.has_endpoint('changelogs.search'):
self.response_context.update(
- context_action_menu_changelogs = self.get_endpoint_class('changelogs.search').get_context_action_menu()
+ context_action_menu_changelogs = self.get_endpoint_class(
+ 'changelogs.search'
+ ).get_context_action_menu()
)
item_changelog = self.dbsession.query(ItemChangeLogModel).\
@@ -177,22 +179,22 @@ class CreateView(HTMLMixin, SQLAlchemyMixin, ItemCreateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Reporting settings <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> were successfully created.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to create new reporting settings for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['item'].group)
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled creating new reporting settings for group <strong>%(parent_id)s</strong>.',
- parent_id = str(kwargs['item'].group)
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
@@ -213,7 +215,10 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Update details of reporting settings for group "%(item)s"', item = kwargs['item'].group.name)
+ return lazy_gettext(
+ 'Update details of reporting settings for group "%(item)s"',
+ item = flask.escape(kwargs['item'].group.name)
+ )
@classmethod
def get_view_title(cls, **kwargs):
@@ -238,24 +243,24 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Reporting settings <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong> were successfully updated.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to update reporting settings <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled updating reporting settings <strong>%(item_id)s</strong> for group <strong>%(parent_id)s</strong>.',
- item_id = str(kwargs['item']),
- parent_id = str(kwargs['item'].group)
+ item_id = flask.escape(str(kwargs['item'])),
+ parent_id = flask.escape(str(kwargs['item'].group))
)
@staticmethod
diff --git a/lib/vial/blueprints/auth_api/__init__.py b/lib/vial/blueprints/auth_api/__init__.py
index 4103914d395d9cfdb22ce47878de75680121ec9e..dcac174b478069ca55bd8f19d162ea1fd26cc7c0 100644
--- a/lib/vial/blueprints/auth_api/__init__.py
+++ b/lib/vial/blueprints/auth_api/__init__.py
@@ -113,21 +113,21 @@ class GenerateKeyView(HTMLMixin, SQLAlchemyMixin, ItemChangeView): # pylint: di
def get_message_success(**kwargs):
return gettext(
'API key for user account <strong>%(item_id)s</strong> was successfully generated.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to generate API key for user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled generating API key for user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@classmethod
@@ -186,21 +186,21 @@ class DeleteKeyView(HTMLMixin, SQLAlchemyMixin, ItemChangeView): # pylint: disa
def get_message_success(**kwargs):
return gettext(
'API key for user account <strong>%(item_id)s</strong> was successfully deleted.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to delete API key for user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled deleting API key for user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@classmethod
diff --git a/lib/vial/blueprints/groups/__init__.py b/lib/vial/blueprints/groups/__init__.py
index 854676c8367b232e7b01885505ad28b269fd7499..a06c5ce5b1228cec50b3f5e14c771be048ee428a 100644
--- a/lib/vial/blueprints/groups/__init__.py
+++ b/lib/vial/blueprints/groups/__init__.py
@@ -6,7 +6,7 @@
"""
-This file contains pluggable module for Hawat web interface containing features
+This file contains pluggable module for Vial application containing features
related to user group management. These features include:
* general group listing
@@ -121,11 +121,11 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
if isinstance(kwargs['item'], cls.get_model(vial.const.MODEL_GROUP)):
return lazy_gettext(
'View details of group "%(item)s"',
- item = str(kwargs['item'])
+ item = flask.escape(str(kwargs['item']))
)
return lazy_gettext(
'View details of group "%(item)s"',
- item = str(kwargs['item'].group)
+ item = flask.escape(str(kwargs['item'].group))
)
@classmethod
@@ -229,12 +229,16 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
'more.update',
endpoint = 'users.update'
)
- self.response_context.update(context_action_menu_users = action_menu)
+ self.response_context.update(
+ context_action_menu_users = action_menu
+ )
item = self.response_context['item']
if self.can_access_endpoint('groups.update', item = item) and self.has_endpoint('changelogs.search'):
self.response_context.update(
- context_action_menu_changelogs = self.get_endpoint_class('changelogs.search').get_context_action_menu()
+ context_action_menu_changelogs = self.get_endpoint_class(
+ 'changelogs.search'
+ ).get_context_action_menu()
)
item_changelog_model = self.get_model(vial.const.MODEL_ITEM_CHANGELOG)
item_changelog = self.dbsession.query(item_changelog_model).\
@@ -302,7 +306,7 @@ class CreateView(HTMLMixin, SQLAlchemyMixin, ItemCreateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Group <strong>%(item_id)s</strong> was successfully created.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
@@ -335,7 +339,7 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Update details of group "%(item)s"',
- item = str(kwargs['item'])
+ item = flask.escape(str(kwargs['item']))
)
@classmethod
@@ -361,21 +365,21 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Group <strong>%(item_id)s</strong> was successfully updated.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to update group <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled updating group <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
@@ -412,8 +416,8 @@ class AddMemberView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView): # pyli
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Add user "%(user_id)s" to group "%(group_id)s"',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@property
@@ -451,30 +455,33 @@ class AddMemberView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView): # pyli
pass
if kwargs['other'].is_state_disabled():
kwargs['other'].set_state_enabled()
- flask.current_app.send_infomail('users.enable', account = kwargs['other'])
+ flask.current_app.send_infomail(
+ 'users.enable',
+ account = kwargs['other']
+ )
@staticmethod
def get_message_success(**kwargs):
return gettext(
'User <strong>%(user_id)s</strong> was successfully added as a member to group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to add user <strong>%(user_id)s</strong> as a member to group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled adding user <strong>%(user_id)s</strong> as a member to group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@@ -502,8 +509,8 @@ class RejectMemberView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView): # p
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Reject user`s "%(user_id)s" membership request for group "%(group_id)s"',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@property
@@ -542,24 +549,24 @@ class RejectMemberView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView): # p
def get_message_success(**kwargs):
return gettext(
'User`s <strong>%(user_id)s</strong> membership request for group <strong>%(group_id)s</strong> was successfully rejected.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to reject user`s <strong>%(user_id)s</strong> membership request for group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled rejecting user`s <strong>%(user_id)s</strong> membership request for group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@@ -587,8 +594,8 @@ class RemoveMemberView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView): # p
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Remove user "%(user_id)s" from group "%(group_id)s"',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
#---------------------------------------------------------------------------
@@ -629,24 +636,24 @@ class RemoveMemberView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView): # p
def get_message_success(**kwargs):
return gettext(
'User <strong>%(user_id)s</strong> was successfully removed as a member from group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to remove user <strong>%(user_id)s</strong> as a member from group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled removing user <strong>%(user_id)s</strong> as a member from group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['other']),
- group_id = str(kwargs['item'])
+ user_id = flask.escape(str(kwargs['other'])),
+ group_id = flask.escape(str(kwargs['item']))
)
@@ -664,7 +671,7 @@ class EnableView(HTMLMixin, SQLAlchemyMixin, ItemEnableView): # pylint: disable
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Enable group "%(item)s"',
- item = str(kwargs['item'])
+ item = flask.escape(str(kwargs['item']))
)
@property
@@ -679,21 +686,21 @@ class EnableView(HTMLMixin, SQLAlchemyMixin, ItemEnableView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Group <strong>%(item_id)s</strong> was successfully enabled.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to enable group <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled enabling group <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@@ -711,7 +718,7 @@ class DisableView(HTMLMixin, SQLAlchemyMixin, ItemDisableView): # pylint: disab
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Disable group "%(item)s"',
- item = str(kwargs['item'])
+ item = flask.escape(str(kwargs['item']))
)
@property
@@ -726,21 +733,21 @@ class DisableView(HTMLMixin, SQLAlchemyMixin, ItemDisableView): # pylint: disab
def get_message_success(**kwargs):
return gettext(
'Group <strong>%(item_id)s</strong> was successfully disabled.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to disable group <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled disabling group <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@@ -759,7 +766,7 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Delete group "%(item)s"',
- item = str(kwargs['item'])
+ item = flask.escape(str(kwargs['item']))
)
@property
@@ -774,21 +781,21 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'Group <strong>%(item_id)s</strong> was successfully and permanently deleted.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to delete group <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled deleting group <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
diff --git a/lib/vial/blueprints/users/__init__.py b/lib/vial/blueprints/users/__init__.py
index 0bec9b0dea03205349f8186f744e9fc194669cfd..bd856bae9d12fb366153cee63352570aae7439d2 100644
--- a/lib/vial/blueprints/users/__init__.py
+++ b/lib/vial/blueprints/users/__init__.py
@@ -6,7 +6,7 @@
"""
-This file contains pluggable module for Hawat web interface containing features
+This file contains pluggable module for Vial application containing features
related to user account management. These features include:
* general user account listing
@@ -120,7 +120,7 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Show details of user account "%(item)s"',
- item = kwargs['item'].login
+ item = flask.escape(kwargs['item'].login)
)
@classmethod
@@ -216,11 +216,15 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
'more.update',
endpoint = 'groups.update'
)
- self.response_context.update(context_action_menu_groups = action_menu)
+ self.response_context.update(
+ context_action_menu_groups = action_menu
+ )
if self.has_endpoint('changelogs.search'):
self.response_context.update(
- context_action_menu_changelogs = self.get_endpoint_class('changelogs.search').get_context_action_menu()
+ context_action_menu_changelogs = self.get_endpoint_class(
+ 'changelogs.search'
+ ).get_context_action_menu()
)
if self.can_access_endpoint('users.update', item = item) and self.has_endpoint('changelogs.search'):
@@ -231,14 +235,18 @@ class ShowView(HTMLMixin, SQLAlchemyMixin, ItemShowView):
order_by(item_changelog_model.createtime.desc()).\
limit(100).\
all()
- self.response_context.update(item_changelog = item_changelog)
+ self.response_context.update(
+ item_changelog = item_changelog
+ )
user_changelog = self.dbsession.query(item_changelog_model).\
filter(item_changelog_model.author_id == item.id).\
order_by(item_changelog_model.createtime.desc()).\
limit(100).\
all()
- self.response_context.update(user_changelog = user_changelog)
+ self.response_context.update(
+ user_changelog = user_changelog
+ )
class MeView(ShowView): # pylint: disable=locally-disabled,too-many-ancestors
@@ -347,7 +355,7 @@ class CreateView(HTMLMixin, SQLAlchemyMixin, ItemCreateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'User account <strong>%(item_id)s</strong> was successfully created.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
@@ -394,7 +402,7 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Update details of user account "%(item)s"',
- item = kwargs['item'].login
+ item = flask.escape(kwargs['item'].login)
)
@property
@@ -416,21 +424,21 @@ class UpdateView(HTMLMixin, SQLAlchemyMixin, ItemUpdateView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'User account <strong>%(item_id)s</strong> was successfully updated.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to update user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled updating user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
@@ -484,8 +492,8 @@ class AddMembershipView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView): #
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Add user "%(user_id)s" to group "%(group_id)s"',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@property
@@ -523,30 +531,33 @@ class AddMembershipView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView): #
pass
if kwargs['item'].is_state_disabled():
kwargs['item'].set_state_enabled()
- flask.current_app.send_infomail('users.enable', account = kwargs['item'])
+ flask.current_app.send_infomail(
+ 'users.enable',
+ account = kwargs['item']
+ )
@staticmethod
def get_message_success(**kwargs):
return gettext(
'User <strong>%(user_id)s</strong> was successfully added as a member to group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to add user <strong>%(user_id)s</strong> as a member to group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled adding user <strong>%(user_id)s</strong> as a member to group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@@ -574,8 +585,8 @@ class RejectMembershipView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView):
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Reject user`s "%(user_id)s" membership request for group "%(group_id)s"',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@property
@@ -612,24 +623,24 @@ class RejectMembershipView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView):
def get_message_success(**kwargs):
return gettext(
'User`s <strong>%(user_id)s</strong> membership request for group <strong>%(group_id)s</strong> was successfully rejected.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to reject user`s <strong>%(user_id)s</strong> membership request for group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled rejecting user`s <strong>%(user_id)s</strong> membership request for group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@@ -657,8 +668,8 @@ class RemoveMembershipView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView):
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Remove user "%(user_id)s" from group "%(group_id)s"',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@property
@@ -698,24 +709,24 @@ class RemoveMembershipView(HTMLMixin, SQLAlchemyMixin, ItemObjectRelationView):
def get_message_success(**kwargs):
return gettext(
'User <strong>%(user_id)s</strong> was successfully removed as a member from group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to remove user <strong>%(user_id)s</strong> as a member from group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled removing user <strong>%(user_id)s</strong> as a member from group <strong>%(group_id)s</strong>.',
- user_id = str(kwargs['item']),
- group_id = str(kwargs['other'])
+ user_id = flask.escape(str(kwargs['item'])),
+ group_id = flask.escape(str(kwargs['other']))
)
@@ -737,7 +748,7 @@ class EnableView(HTMLMixin, SQLAlchemyMixin, ItemEnableView): # pylint: disable
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Enable user account "%(item)s"',
- item = kwargs['item'].login
+ item = flask.escape(kwargs['item'].login)
)
@property
@@ -752,21 +763,21 @@ class EnableView(HTMLMixin, SQLAlchemyMixin, ItemEnableView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'User account <strong>%(item_id)s</strong> was successfully enabled.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to enable user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled enabling user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@classmethod
@@ -814,7 +825,7 @@ class DisableView(HTMLMixin, SQLAlchemyMixin, ItemDisableView): # pylint: disab
def get_menu_legend(cls, **kwargs):
return lazy_gettext(
'Disable user account "%(item)s"',
- item = kwargs['item'].login
+ item = flask.escape(kwargs['item'].login)
)
@property
@@ -829,21 +840,21 @@ class DisableView(HTMLMixin, SQLAlchemyMixin, ItemDisableView): # pylint: disab
def get_message_success(**kwargs):
return gettext(
'User account <strong>%(item_id)s</strong> was successfully disabled.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to disable user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled disabling user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@@ -863,7 +874,10 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
@classmethod
def get_menu_legend(cls, **kwargs):
- return lazy_gettext('Delete user account "%(item)s"', item = kwargs['item'].login)
+ return lazy_gettext(
+ 'Delete user account "%(item)s"',
+ item = flask.escape(kwargs['item'].login)
+ )
@property
def dbmodel(self):
@@ -877,21 +891,21 @@ class DeleteView(HTMLMixin, SQLAlchemyMixin, ItemDeleteView): # pylint: disable
def get_message_success(**kwargs):
return gettext(
'User account <strong>%(item_id)s</strong> was successfully and permanently deleted.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_failure(**kwargs):
return gettext(
'Unable to delete user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
@staticmethod
def get_message_cancel(**kwargs):
return gettext(
'Canceled deleting user account <strong>%(item_id)s</strong>.',
- item_id = str(kwargs['item'])
+ item_id = flask.escape(str(kwargs['item']))
)
diff --git a/lib/vial/view/__init__.py b/lib/vial/view/__init__.py
index 19d3151a2983d4eac730505b140c43dcc3ed7824..cd52958a45efc7682d310d479717e1c29a76f5b7 100644
--- a/lib/vial/view/__init__.py
+++ b/lib/vial/view/__init__.py
@@ -609,14 +609,14 @@ class BaseLoginView(SimpleView):
except Exception: # pylint: disable=locally-disabled,broad-except
self.flash(
flask.Markup(gettext(
- "Unable to perform developer login as <strong>%(user)s</strong>.",
- user = str(user_login)
+ "Unable to perform login as <strong>%(user)s</strong>.",
+ user = flask.escape(str(user_login))
)),
vial.const.FLASH_FAILURE
)
flask.current_app.log_exception_with_label(
traceback.TracebackException(*sys.exc_info()),
- 'Unable to perform developer login.',
+ 'Unable to perform login.',
)
self.abort(500)
@@ -624,8 +624,8 @@ class BaseLoginView(SimpleView):
self.flash(
flask.Markup(gettext(
'Your user account <strong>%(login)s (%(name)s)</strong> is currently disabled, you are not permitted to log in.',
- login = user.login,
- name = user.fullname
+ login = flask.escape(user.login),
+ name = flask.escape(user.fullname)
)),
vial.const.FLASH_FAILURE
)
@@ -655,7 +655,7 @@ class BaseLoginView(SimpleView):
self.flash(
flask.Markup(gettext(
'You have been successfully logged in as <strong>%(user)s</strong>.',
- user = str(user)
+ user = flask.escape(str(user))
)),
vial.const.FLASH_SUCCESS
)
@@ -1470,7 +1470,10 @@ class ItemCreateView(ItemActionView): # pylint: disable=locally-disabled,abstra
The text may contain HTML characters and will be passed to :py:class:`flask.Markup`
before being used, so to certain extend you may emphasize and customize the output.
"""
- return gettext('Item "%(item)s" already exists', item = str(kwargs['item']))
+ return gettext(
+ 'Item "%(item)s" already exists',
+ item = flask.escape(str(kwargs['item']))
+ )
@classmethod
def get_breadcrumbs_menu(cls):
@@ -1662,7 +1665,10 @@ class ItemCreateForView(ItemActionView): # pylint: disable=locally-disabled,abs
The text may contain HTML characters and will be passed to :py:class:`flask.Markup`
before being used, so to certain extend you may emphasize and customize the output.
"""
- return gettext('Item "%(item)s" already exists', item = str(kwargs['item']))
+ return gettext(
+ 'Item "%(item)s" already exists',
+ item = flask.escape(str(kwargs['item']))
+ )
@classmethod
def get_breadcrumbs_menu(cls):
@@ -2451,7 +2457,10 @@ class ItemObjectRelationView(ItemChangeView): # pylint: disable=locally-disable
self.dbsession.rollback()
self.flash(
flask.Markup(
- self.get_message_failure(item = item, other = other)
+ self.get_message_failure(
+ item = item,
+ other = other
+ )
),
vial.const.FLASH_FAILURE
)