diff options
| author | Sebastian Spaeth <Sebastian@SSpaeth.de> | 2013-01-09 12:38:08 +0100 |
|---|---|---|
| committer | Sebastian Spaeth <Sebastian@SSpaeth.de> | 2013-01-15 20:08:21 +0100 |
| commit | 4ca0755ab63192b9a79c1152673bfeb19e45e8a1 (patch) | |
| tree | 3a6e52383d15f92364b60b056d7c4cafec80fc3b /mediagoblin/edit/views.py | |
| parent | 7525cdf9eb1dcf8e19b340072247426d0fd570c0 (diff) | |
| download | mediagoblin-4ca0755ab63192b9a79c1152673bfeb19e45e8a1.tar.lz mediagoblin-4ca0755ab63192b9a79c1152673bfeb19e45e8a1.tar.xz mediagoblin-4ca0755ab63192b9a79c1152673bfeb19e45e8a1.zip | |
Sanitize slug input on media edit
Previously we allowed EVERYTHING, even slashes as slug when editing the media.
Make sure we slugify the input to sanitize it.
(+ string formdata is unicode, so there is no need to convert it)
Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
Diffstat (limited to 'mediagoblin/edit/views.py')
| -rw-r--r-- | mediagoblin/edit/views.py | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py index ece11df5..646a9e5b 100644 --- a/mediagoblin/edit/views.py +++ b/mediagoblin/edit/views.py @@ -32,6 +32,7 @@ from mediagoblin.tools.response import render_to_response, redirect from mediagoblin.tools.translate import pass_to_ugettext as _ from mediagoblin.tools.text import ( convert_to_tag_list_of_dicts, media_tags_as_string) +from mediagoblin.tools.url import slugify from mediagoblin.db.util import check_media_slug_used, check_collection_slug_used import mimetypes @@ -57,22 +58,20 @@ def edit_media(request, media): if request.method == 'POST' and form.validate(): # Make sure there isn't already a MediaEntry with such a slug # and userid. - slug_used = check_media_slug_used(media.uploader, request.form['slug'], - media.id) + slug = slugify(request.form['slug']) + slug_used = check_media_slug_used(media.uploader, slug, media.id) if slug_used: form.slug.errors.append( _(u'An entry with that slug already exists for this user.')) else: - media.title = unicode(request.form['title']) - media.description = unicode(request.form.get('description')) + media.title = request.form['title'] + media.description = request.form.get('description') media.tags = convert_to_tag_list_of_dicts( request.form.get('tags')) media.license = unicode(request.form.get('license', '')) or None - - media.slug = unicode(request.form['slug']) - + media.slug = slug media.save() return redirect(request, |