Anand Doshi
9 年前
共有 2 个文件被更改,包括 10 次插入 和 0 次删除
合并视图
Diff 选项
-
+9 -0frappe/handler.py
-
+1 -0requirements.txt
+ 9
- 0
frappe/handler.py
查看文件
| @@ -10,6 +10,7 @@ import frappe.sessions | |||||
| import frappe.utils.file_manager | import frappe.utils.file_manager | ||||
| import frappe.desk.form.run_method | import frappe.desk.form.run_method | ||||
| from frappe.utils.response import build_response | from frappe.utils.response import build_response | ||||
| import bleach | |||||
| @frappe.whitelist(allow_guest=True) | @frappe.whitelist(allow_guest=True) | ||||
| def version(): | def version(): | ||||
| @@ -91,6 +92,14 @@ def execute_cmd(cmd, from_async=False): | |||||
| if (method not in frappe.guest_methods): | if (method not in frappe.guest_methods): | ||||
| frappe.msgprint(_("Not permitted")) | frappe.msgprint(_("Not permitted")) | ||||
| raise frappe.PermissionError('Not Allowed, {0}'.format(method)) | raise frappe.PermissionError('Not Allowed, {0}'.format(method)) | ||||
| # strictly sanitize form_dict | |||||
| # escapes html characters like <> except for predefined tags like a, b, ul etc. | |||||
| # if required, we can add more whitelisted tags like div, p, etc. (see its documentation) | |||||
| for key, value in frappe.form_dict.items(): | |||||
| if isinstance(value, basestring): | |||||
| frappe.form_dict[key] = bleach.clean(value) | |||||
| else: | else: | ||||
| if not method in frappe.whitelisted: | if not method in frappe.whitelisted: | ||||
| frappe.msgprint(_("Not permitted")) | frappe.msgprint(_("Not permitted")) | ||||
+ 1
- 0
requirements.txt
查看文件
| @@ -29,3 +29,4 @@ email_reply_parser | |||||
| click | click | ||||
| num2words | num2words | ||||
| watchdog==0.8.0 | watchdog==0.8.0 | ||||
| bleach | |||||