diff --git a/views.py b/views.py
index e3327bf..20a3b0e 100644
--- a/views.py
+++ b/views.py
@@ -539,8 +539,14 @@ def add_comment(request, post_id, parent_id):
else:
ip = request.META['REMOTE_ADDR']
+
+ # Avoid script injection
+ the_comment = request.POST['the_comment']
+ the_comment = the_comment.replace('<', '<')
+ the_comment = the_comment.replace('>', '>')
+
comment = Comment(post=post, parent=parentComment, date=datetime.now(), author=request.POST['author'],\
- email=request.POST['email'], the_comment=request.POST['the_comment'], ip=ip)
+ email=request.POST['email'], the_comment=the_comment, ip=ip)
comment.save()
engine = globals()['post']
@@ -577,17 +583,14 @@ def add_comment(request, post_id, parent_id):
for email,author in emails.items():
text_body = u'Bonjour %s,\n\nUn nouveau commentaire a été posté pour l\'article "%s".\n\n' % (author, post.title)
text_body += u'Pour le consulter, rendez vous sur http://%s%s/#comment_%s\n\n----------------\n\n' % (blog.name, post.getPath(), comment_index)
- text_body += comment.the_comment
+ text_body += the_comment
text_body += '\n'
html_body = u''
html_body += u'Bonjour %s,
Un nouveau commentaire a été posté pour l\'article "%s".
' % (author, post.title)
html_body = html_body + u'Pour le consulter, rendez vous sur http://%s%s#comment_%s
----------------
' % (blog.name, post.getPath(), comment_index, blog.name, post.getPath(), comment_index)
c = comment.the_comment
- # Avoid script injection
- c = c.replace('', '<pre>')
- c = c.replace('', '</pre>')
- html_body += c + ''
+ html_body += the_comment + ''
html_body += ''
msg = EmailMultiAlternatives(subject, text_body, 'no-reply@%s' % blog.name , [email])