From f7704b65b40b318b5b1349b5e3000d383f1f58c9 Mon Sep 17 00:00:00 2001
From: Mindiell <github@mindiell.net>
Date: Tue, 5 Jan 2021 21:35:05 +0100
Subject: [PATCH] Security

---
 app.py        | 12 +++++++++++-
 config.py     |  5 ++++-
 template.html |  4 +++-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/app.py b/app.py
index 8303e07..ed54ccb 100644
--- a/app.py
+++ b/app.py
@@ -14,6 +14,8 @@ application.jinja_env.lstrip_blocks = application.config["JINJA_ENV"]["LSTRIP_BL
 LOG_PATTERN = re.compile(application.config["LOG_PATTERN"])
 LINK_PATTERN = re.compile(application.config["LINK_PATTERN"])
 BOLD_PATTERN = re.compile(application.config["BOLD_PATTERN"])
+SAFE_LT_PATTERN = re.compile(application.config["SAFE_LT_PATTERN"])
+SAFE_GT_PATTERN = re.compile(application.config["SAFE_GT_PATTERN"])
 
 
 def get_archives():
@@ -55,7 +57,7 @@ def archives(year=None, month=None, day=None):
     # Ok, on charge et on affiche le contenu du fichier
     filename = "log-%s-%s-%s.txt" % (year, month, day)
     filepath = os.path.join(application.config["LOG_PATH"], filename)
-    with open(filepath) as f:
+    with open(filepath, encoding="utf-8") as f:
         lines = f.read().splitlines()
     g.lines = []
     g.year, g.month, g.day = year, month, day
@@ -63,6 +65,14 @@ def archives(year=None, month=None, day=None):
         result = LOG_PATTERN.match(line)
         if result is not None:
             message = result.group("message")
+            for text in SAFE_GT_PATTERN.findall(message):
+                message = message.replace(
+                    text, application.config["SAFE_GT_HTML"].format(text=text)
+                )
+            for text in SAFE_LT_PATTERN.findall(message):
+                message = message.replace(
+                    text, application.config["SAFE_LT_HTML"].format(text=text)
+                )
             for link in LINK_PATTERN.findall(message):
                 message = message.replace(
                     link, application.config["LINK_HTML"].format(link=link)
diff --git a/config.py b/config.py
index dbb1f01..d20236c 100644
--- a/config.py
+++ b/config.py
@@ -16,8 +16,11 @@ LOG_PATTERN = r"^%s\s+[<*]\s*(?P<nick>[^> ]+)[> ]\s+(?P<message>.*)$" % DATE_FOR
 # Patterns
 LINK_PATTERN = r"https?://\S+"
 BOLD_PATTERN = r"\*[^\*\s]+\*"
+SAFE_LT_PATTERN = r"<"
+SAFE_GT_PATTERN = r">"
 
 # html
 LINK_HTML = '<a href="{link}">{link}</a>'
 BOLD_HTML = "<b>{text}</b>"
-
+SAFE_LT_HTML = "&lt;"
+SAFE_GT_HTML = "&gt;"
diff --git a/template.html b/template.html
index 4e46e4e..2b43c96 100644
--- a/template.html
+++ b/template.html
@@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html>
     <head>
+        <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
         <title>Logs du chan #afpy pour le </title>
         <style type="text/css">
             body {background-color: #000; color: #fff; font-family: "Verdana"}
@@ -67,7 +69,7 @@
         </div>
         <div id="content">
         {% for line in g.lines %}
-        <span class="time">{{ line.time }}</span> <span class="bracket">&lt;</span><span class="nick">{{ line.nick }}</span><span class="bracket">&gt;</span> <span class="message">{{ line.message |safe }}</span><br />
+        <span class="time">{{ line.time }}</span> <span class="bracket">&lt;</span><span class="nick">{{ line.nick }}</span><span class="bracket">&gt;</span> <span class="message">{{ line.message|safe }}</span><br />
         {% endfor %}
         </div>
     </body>