soutade/Dynastie
1
0
Fork 0
Code Issues Pull Requests Releases 1 Activity

remove markup in comments

Browse Source
This commit is contained in:
Grégory Soutadé 2012-10-23 18:59:40 +02:00
parent 9945116ed0
commit 190eb3d9b8
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
views.py
View File

@ -539,8 +539,14 @@ def add_comment(request, post_id, parent_id):
else:
ip = request.META['REMOTE_ADDR']
# Avoid script injection
the_comment = request.POST['the_comment']
the_comment = the_comment.replace('<', '&lt;')
the_comment = the_comment.replace('>', '&gt;')
comment = Comment(post=post, parent=parentComment, date=datetime.now(), author=request.POST['author'],\
email=request.POST['email'], the_comment=request.POST['the_comment'], ip=ip)
email=request.POST['email'], the_comment=the_comment], ip=ip)
comment.save()
engine = globals()['post']
@ -577,17 +583,14 @@ def add_comment(request, post_id, parent_id):
for email,author in emails.items():
text_body = u'Bonjour %s,\n\nUn nouveau commentaire a été posté pour l\'article "%s".\n\n' % (author, post.title)
text_body += u'Pour le consulter, rendez vous sur http://%s%s/#comment_%s\n\n----------------\n\n' % (blog.name, post.getPath(), comment_index)
text_body += comment.the_comment
text_body += the_comment
text_body += '\n'
html_body = u'<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /></head><body>'
html_body += u'Bonjour %s,<br/><br/>Un nouveau commentaire a été posté pour l\'article "%s".<br/><br/>' % (author, post.title)
html_body = html_body + u'Pour le consulter, rendez vous sur <a href="http://%s%s#comment_%s">http://%s%s#comment_%s</a><br/><br/>----------------<br/><pre>' % (blog.name, post.getPath(), comment_index, blog.name, post.getPath(), comment_index)
c = comment.the_comment
# Avoid script injection
c = c.replace('<pre>', '&lt;pre&gt;')
c = c.replace('</pre>', '&lt;/pre&gt;')
html_body += c + '</pre>'
html_body += the_comment + '</pre>'
html_body += '</body></html>'
msg = EmailMultiAlternatives(subject, text_body, 'no-reply@%s' % blog.name , [email])