X-Git-Url: https://git.openstreetmap.org./nominatim.git/blobdiff_plain/05e47fbb28eb0f3f7803b6bfe194896b6e6c1ed0..78c19bc006d5957f183968d086226be4b2b65fe3:/nominatim/api/logging.py diff --git a/nominatim/api/logging.py b/nominatim/api/logging.py index e16e0bd2..30999a3f 100644 --- a/nominatim/api/logging.py +++ b/nominatim/api/logging.py @@ -13,6 +13,7 @@ import datetime as dt import textwrap import io import re +import html import sqlalchemy as sa from sqlalchemy.ext.asyncio import AsyncConnection @@ -83,7 +84,7 @@ class BaseLogger: def format_sql(self, conn: AsyncConnection, statement: 'sa.Executable', extra_params: Union[Mapping[str, Any], Sequence[Mapping[str, Any]], None]) -> str: - """ Return the comiled version of the statement. + """ Return the compiled version of the statement. """ compiled = cast('sa.ClauseElement', statement).compile(conn.sync_engine) @@ -227,7 +228,7 @@ class HTMLLogger(BaseLogger): HtmlFormatter(nowrap=True, lineseparator='
')) self._write(f'
{sqlstr}
') else: - self._write(f'{sqlstr}') + self._write(f'{html.escape(sqlstr)}') def _python_var(self, var: Any) -> str: @@ -235,7 +236,7 @@ class HTMLLogger(BaseLogger): fmt = highlight(str(var), PythonLexer(), HtmlFormatter(nowrap=True)) return f'
{fmt}
' - return f'{str(var)}' + return f'{html.escape(str(var))}' def _write(self, text: str) -> None: