diff --git a/views.py b/views.py index e3327bf..d5b5a41 100644 --- a/views.py +++ b/views.py @@ -539,8 +539,14 @@ def add_comment(request, post_id, parent_id): else: ip = request.META['REMOTE_ADDR'] + + # Avoid script injection + the_comment = request.POST['the_comment'] + the_comment = the_comment.replace('<', '<') + the_comment = the_comment.replace('>', '>') + comment = Comment(post=post, parent=parentComment, date=datetime.now(), author=request.POST['author'],\ - email=request.POST['email'], the_comment=request.POST['the_comment'], ip=ip) + email=request.POST['email'], the_comment=the_comment], ip=ip) comment.save() engine = globals()['post'] @@ -577,17 +583,14 @@ def add_comment(request, post_id, parent_id): for email,author in emails.items(): text_body = u'Bonjour %s,\n\nUn nouveau commentaire a été posté pour l\'article "%s".\n\n' % (author, post.title) text_body += u'Pour le consulter, rendez vous sur http://%s%s/#comment_%s\n\n----------------\n\n' % (blog.name, post.getPath(), comment_index) - text_body += comment.the_comment + text_body += the_comment text_body += '\n' html_body = u'
' html_body += u'Bonjour %s,' % (blog.name, post.getPath(), comment_index, blog.name, post.getPath(), comment_index) c = comment.the_comment - # Avoid script injection - c = c.replace('' + html_body += the_comment + '' html_body += '' msg = EmailMultiAlternatives(subject, text_body, 'no-reply@%s' % blog.name , [email])', '<pre>') - c = c.replace('', '</pre>') - html_body += c + '