]> git.openstreetmap.org Git - osqa.git/blob - forum/settings/forms.py
Fixes OSQA 455. Multiple cross site scripting(XSS) vulnerabilities.
[osqa.git] / forum / settings / forms.py
1 import os
2 from string import strip
3 from django import forms
4 from forum.settings.base import Setting
5 from django.utils.translation import ugettext as _
6 from django.core.files.storage import FileSystemStorage
7
8 class DummySetting:
9     pass
10
11 class UnfilteredField(forms.CharField):
12     def clean(self, value):
13             return value
14
15
16 class SettingsSetForm(forms.Form):
17     def __init__(self, set, data=None, unsaved=None, *args, **kwargs):
18         initial = dict([(setting.name, setting.value) for setting in set])
19
20         if unsaved:
21             initial.update(unsaved)
22
23         super(SettingsSetForm, self).__init__(data, initial=initial, *args, **kwargs)
24
25         for setting in set:
26             widget = setting.field_context.get('widget', None)
27
28             if widget is forms.CheckboxSelectMultiple or widget is forms.SelectMultiple or isinstance(widget, forms.SelectMultiple):
29                 field = forms.MultipleChoiceField(**setting.field_context)
30             elif widget is forms.RadioSelect or isinstance(widget, forms.RadioSelect):
31                 field = forms.ChoiceField(**setting.field_context)
32             elif isinstance(setting, (Setting.emulators.get(str, DummySetting), Setting.emulators.get(unicode, DummySetting))):
33                 if not setting.field_context.get('widget', None):
34                     setting.field_context['widget'] = forms.TextInput(attrs={'class': 'longstring'})
35                 field = forms.CharField(**setting.field_context)
36             elif isinstance(setting, Setting.emulators.get(float, DummySetting)):
37                 field = forms.FloatField(**setting.field_context)
38             elif isinstance(setting, Setting.emulators.get(int, DummySetting)):
39                 field = forms.IntegerField(**setting.field_context)
40             elif isinstance(setting, Setting.emulators.get(bool, DummySetting)):
41                 field = forms.BooleanField(**setting.field_context)
42             else:
43                 field = UnfilteredField(**setting.field_context)
44
45             self.fields[setting.name] = field
46
47         self.set = set
48
49     def as_table(self):
50         return self._html_output(
51                 u'<tr><th>%(label)s' + ('<br /><a class="fieldtool context" href="#">%s</a><span class="sep">|</span><a class="fieldtool default" href="#">%s</a></th>' % (
52                     _('context'), _('default'))) + u'<td>%(errors)s%(field)s%(help_text)s</td>',
53                 u'<tr><td colspan="2">%s</td></tr>', '</td></tr>', u'<br />%s', False)
54
55     def save(self):
56         for setting in self.set:
57             setting.set_value(self.cleaned_data[setting.name])
58
59 class ImageFormWidget(forms.Widget):
60     def render(self, name, value, attrs=None):
61         return """
62             <img src="%(value)s" /><br />
63             %(change)s: <input type="file" name="%(name)s" />
64             <input type="hidden" name="%(name)s_old" value="%(value)s" />
65             """ % {'name': name, 'value': value, 'change': _('Change this:')}
66
67     def value_from_datadict(self, data, files, name):
68         if name in files:
69             f = files[name]
70
71             # check file type
72             file_name_suffix = os.path.splitext(f.name)[1].lower()
73
74             if not file_name_suffix in ('.jpg', '.jpeg', '.gif', '.png', '.bmp', '.tiff', '.ico'):
75                 raise Exception('File type not allowed')
76
77             from forum.settings import UPFILES_FOLDER, UPFILES_ALIAS
78
79             storage = FileSystemStorage(str(UPFILES_FOLDER), str(UPFILES_ALIAS))
80             new_file_name = storage.save(f.name, f)
81             return str(UPFILES_ALIAS) + new_file_name
82         else:
83             if "%s_old" % name in data:
84                 return data["%s_old" % name]
85             elif name in data:
86                 return data[name]
87
88 class StringListWidget(forms.Widget):
89     def render(self, name, value, attrs=None):
90         ret = ""
91         for s in value:
92             ret += """
93             <div class="string-list-input">
94                 <input type="text" name="%(name)s" value="%(value)s" />
95                 <button class="string_list_widget_button">-</button>
96             </div>
97             """  % {'name': name, 'value': s}
98
99         return """
100             <div class="string_list_widgets">
101                 %(ret)s
102                 <div><button name="%(name)s" class="string_list_widget_button add">+</button></div>
103             </div>
104             """ % dict(name=name, ret=ret)
105
106     def value_from_datadict(self, data, files, name):
107         if 'submit' in data:
108             return data.getlist(name)
109         else:
110             return data[name]
111
112 class CommaStringListWidget(forms.Textarea):
113     def render(self, name, value, attrs=None):
114         return super(CommaStringListWidget, self).render(name, ', '.join(value), attrs)
115
116
117     def value_from_datadict(self, data, files, name):
118         if 'submit' in data:
119             return map(strip, data[name].split(','))
120         else:
121             return ', '.join(data[name])    
122
123
124
125
126