From 23a91c385da1f99186e125f3c1f5fb1202305d80 Mon Sep 17 00:00:00 2001 From: Caleb Ely Date: Mon, 16 Aug 2021 20:51:37 -0400 Subject: [PATCH] Escape link info on update --- CHANGES.md | 6 ++++++ docker-compose.yml | 1 - src/core/database/weblink.py | 3 ++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 8d0f222..9fd1858 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,9 @@ +# 1.0.3 + +_Unreleased_ + +- Escape link info on update + # 1.0.2 _Released August 16, 2021_ diff --git a/docker-compose.yml b/docker-compose.yml index ca42cc8..c7faf0b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,5 +12,4 @@ services: - 127.0.0.1:5000:80 environment: - FLASK_ENV=production - - SYS_VARS_PATH=/app/secrets - TIMES_FAILED_THRESHOLD=5 diff --git a/src/core/database/weblink.py b/src/core/database/weblink.py index 4cc4c48..9d9bbc1 100644 --- a/src/core/database/weblink.py +++ b/src/core/database/weblink.py @@ -61,7 +61,8 @@ def update(data: OrderedDict) -> bool: return False db.session.query(WebLink).filter_by(id=data["id"]).update( - data, synchronize_session="fetch" + {k: Markup(v).striptags() for k, v in data.items()}, + synchronize_session="fetch", ) db.session.commit() return True