diff options
| author | Sebastian Spaeth <Sebastian@SSpaeth.de> | 2013-01-09 12:38:08 +0100 |
|---|---|---|
| committer | Elrond <elrond+mediagoblin.org@samba-tng.org> | 2013-01-18 21:24:19 +0100 |
| commit | 9e9d90832511ec57f01e0e4619d8ad844c944467 (patch) | |
| tree | 9a281bef69331fad0b997b24a5eaea2b8923c70f | |
| parent | d92fbdc4ea23ed5bc4f439358d83bee01b76b964 (diff) | |
| download | mediagoblin-9e9d90832511ec57f01e0e4619d8ad844c944467.tar.lz mediagoblin-9e9d90832511ec57f01e0e4619d8ad844c944467.tar.xz mediagoblin-9e9d90832511ec57f01e0e4619d8ad844c944467.zip | |
Sanitize slug input on media edit
Previously we allowed EVERYTHING, even slashes as slug when editing the media.
Make sure we slugify the input to sanitize it.
(+ string formdata is unicode, so there is no need to convert it)
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
| -rw-r--r-- | mediagoblin/edit/views.py | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py index c656c63f..3beeae8d 100644 --- a/mediagoblin/edit/views.py +++ b/mediagoblin/edit/views.py @@ -33,6 +33,7 @@ from mediagoblin.tools.response import render_to_response, redirect from mediagoblin.tools.translate import pass_to_ugettext as _ from mediagoblin.tools.text import ( convert_to_tag_list_of_dicts, media_tags_as_string) +from mediagoblin.tools.url import slugify from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used import mimetypes @@ -58,22 +59,20 @@ def edit_media(request, media): if request.method == 'POST' and form.validate(): # Make sure there isn't already a MediaEntry with such a slug # and userid. - slug_used = check_media_slug_used(media.uploader, request.form['slug'], - media.id) + slug = slugify(request.form['slug']) + slug_used = check_media_slug_used(media.uploader, slug, media.id) if slug_used: form.slug.errors.append( _(u'An entry with that slug already exists for this user.')) else: - media.title = unicode(request.form['title']) - media.description = unicode(request.form.get('description')) + media.title = request.form['title'] + media.description = request.form.get('description') media.tags = convert_to_tag_list_of_dicts( request.form.get('tags')) media.license = unicode(request.form.get('license', '')) or None - - media.slug = unicode(request.form['slug']) - + media.slug = slug media.save() return redirect(request, |