Fix xss (#173)

Fix #173 Rewrite multi select widget as a template in order to have all values properly escaped.
2024-09-03 19:26:15 +02:00 · 2017-02-16 23:11:30 +01:00 · 2017-02-16 23:11:30 +01:00 · baba943e62
commit baba943e62
parent 3dd7c67ecf
3 changed files with 14 additions and 3 deletions
--- a/budget/forms.py
+++ b/budget/forms.py
@ -118,7 +118,7 @@ class BillForm(Form):
    payer = SelectField(_("Payer"), validators=[Required()], coerce=int)
    amount = CommaDecimalField(_("Amount paid"), validators=[Required()])
    payed_for = SelectMultipleField(_("For whom?"),
-            validators=[Required()], widget=select_multi_checkbox, coerce=int)
+            validators=[Required()], coerce=int)
    submit = SubmitField(_("Submit"))
    submit2 = SubmitField(_("Submit and add a new one"))

--- a/budget/templates/forms.html
+++ b/budget/templates/forms.html
@ -85,7 +85,18 @@
    {{ input(form.what, inline=True) }}
    {{ input(form.payer, inline=True, class="form-control custom-select") }}
    {{ input(form.amount, inline=True) }}
-    {{ input(form.payed_for, inline=True, class="form-check-input") }}
+
+    <div class="form-group row">
+        <label class="col-3" for="payed_for">{{ _("For whom?") }}</label>
+        <div class="controls col-9">
+            <ul id="payed_for" class="inputs-list">
+                <p><a href="#" id="selectall" onclick="selectall()">{{ _("Select all") }}</a> | <a href="#" id="selectnone" onclick="selectnone()">{{_("Select none")}}</a></p>
+            {% for key, value, checked in form.payed_for.iter_choices() %}
+                <p class="form-check"><label for="payed_for-{{key}}" class="form-check-label"><input name="payed_for" type="checkbox" {% if checked %}checked{% endif %} class="form-check-input" value="{{key}}"/><span>{{value}}</span></label></p>
+            {% endfor %}
+            </ul>
+        </div>
+    </div>
    </fieldset>
    <div class="actions">
        {{ form.submit(class="btn btn-primary") }}
--- a/budget/templates/list_bills.html
+++ b/budget/templates/list_bills.html
@ -107,7 +107,7 @@
        <thead><tr><th>{{ _("When?") }}</th><th>{{ _("Who paid?") }}</th><th>{{ _("For what?") }}</th><th>{{ _("For whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Actions") }}</th></tr></thead>
    <tbody>
    {% for bill in bills %}
-    <tr owers={{bill.owers|join(',','id')}} payer={{bill.payer.id}}>
+    <tr owers="{{bill.owers|join(',','id')}}" payer="{{bill.payer.id}}">
            <td>{{ bill.date }}</td>
            <td>{{ bill.payer }}</td>
            <td>{{ bill.what }}</td>