forked from indymedia/epicyon
Extra checks on css
parent
1f1cbd3eea
commit
9726a63c33
22
content.py
22
content.py
|
@ -181,6 +181,28 @@ def dangerousMarkup(content: str) -> bool:
|
|||
return False
|
||||
|
||||
|
||||
def dangerousCSS(filename: str) -> bool:
|
||||
"""Returns true is the css file contains code which
|
||||
can create security problems
|
||||
"""
|
||||
if not os.path.isfile(filename):
|
||||
return False
|
||||
|
||||
with open(filename, 'r') as fp:
|
||||
content = fp.read()
|
||||
|
||||
cssMatches = ('behavior:', ':expression', '?php')
|
||||
for match in cssMatches:
|
||||
if match in content:
|
||||
return True
|
||||
|
||||
# an attacker can include html inside of the css
|
||||
# file as a comment and this may then be run from the html
|
||||
if dangerousMarkup(content):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def switchWords(baseDir: str, nickname: str, domain: str, content: str) -> str:
|
||||
"""Performs word replacements. eg. Trump -> The Orange Menace
|
||||
"""
|
||||
|
|
18
theme.py
18
theme.py
|
@ -10,23 +10,7 @@ import os
|
|||
from utils import loadJson
|
||||
from utils import saveJson
|
||||
from shutil import copyfile
|
||||
|
||||
|
||||
def dangerousCSS(filename: str) -> bool:
|
||||
"""Returns true is the css file contains code which
|
||||
can create security problems
|
||||
"""
|
||||
if not os.path.isfile(filename):
|
||||
return False
|
||||
|
||||
with open(filename, 'r') as fp:
|
||||
css = fp.read()
|
||||
|
||||
cssMatches = ('behavior')
|
||||
for match in cssMatches:
|
||||
if match in css:
|
||||
return True
|
||||
return False
|
||||
from content import dangerousCSS
|
||||
|
||||
|
||||
def getThemeFiles() -> []:
|
||||
|
|
Loading…
Reference in New Issue