X-Git-Url: https://git.openstreetmap.org./nominatim.git/blobdiff_plain/7b27c04b8392d0babe33cf53e2838b05ffbcbacf..bc7adbae2bc8ebc61bca3800155d070908502dd9:/nominatim/api/logging.py
diff --git a/nominatim/api/logging.py b/nominatim/api/logging.py
index e16e0bd2..30999a3f 100644
--- a/nominatim/api/logging.py
+++ b/nominatim/api/logging.py
@@ -13,6 +13,7 @@ import datetime as dt
import textwrap
import io
import re
+import html
import sqlalchemy as sa
from sqlalchemy.ext.asyncio import AsyncConnection
@@ -83,7 +84,7 @@ class BaseLogger:
def format_sql(self, conn: AsyncConnection, statement: 'sa.Executable',
extra_params: Union[Mapping[str, Any],
Sequence[Mapping[str, Any]], None]) -> str:
- """ Return the comiled version of the statement.
+ """ Return the compiled version of the statement.
"""
compiled = cast('sa.ClauseElement', statement).compile(conn.sync_engine)
@@ -227,7 +228,7 @@ class HTMLLogger(BaseLogger):
HtmlFormatter(nowrap=True, lineseparator='
'))
self._write(f'
{sqlstr}
{sqlstr}
')
+ self._write(f'{html.escape(sqlstr)}
')
def _python_var(self, var: Any) -> str:
@@ -235,7 +236,7 @@ class HTMLLogger(BaseLogger):
fmt = highlight(str(var), PythonLexer(), HtmlFormatter(nowrap=True))
return f'{fmt}
{str(var)}
'
+ return f'{html.escape(str(var))}
'
def _write(self, text: str) -> None: