# HG changeset patch
# User paulb
# Date 1195265117 0
# Node ID a1e9b4cb4e61553bae3cefa7130541abba3a2f05
# Parent b65d621c16daa7d97f0abd7913d14aaa3d07d5f0
[project @ 2007-11-17 02:05:17 by paulb]
Introduced HTML escaping in the output.
Changed the field names for the application and identities, fixing login
failures after initial unsuccessful attempts.
diff -r b65d621c16da -r a1e9b4cb4e61 WebStack/Resources/OpenIDInitiation.py
--- a/WebStack/Resources/OpenIDInitiation.py Sat Nov 17 00:49:08 2007 +0000
+++ b/WebStack/Resources/OpenIDInitiation.py Sat Nov 17 02:05:17 2007 +0000
@@ -22,6 +22,7 @@
import WebStack.Generic
import libxml2dom
+import cgi # for escape
class OpenIDInitiationResource:
@@ -30,7 +31,7 @@
encoding = "utf-8"
openid_ns = "http://specs.openid.net/auth/2.0"
- def __init__(self, openid_mode=None, use_redirect=1, urlencoding=None, encoding=None):
+ def __init__(self, openid_mode=None, use_redirect=0, urlencoding=None, encoding=None):
"""
Initialise the resource.
@@ -155,7 +156,7 @@
trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding))
out = trans.get_response_stream()
- out.write(self.initiation_page % app)
+ out.write(self.initiation_page % cgi.escape(app))
def show_success(self, trans, provider, app, claimed_identifier, local_identifier):
@@ -167,9 +168,9 @@
trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding))
out = trans.get_response_stream()
- out.write(self.success_page % (
+ out.write(self.success_page % tuple(map(cgi.escape, (
provider, self.openid_ns, self.openid_mode, app, claimed_identifier, local_identifier)
- )
+ )))
initiation_page = """
diff -r b65d621c16da -r a1e9b4cb4e61 WebStack/Resources/OpenIDLogin.py
--- a/WebStack/Resources/OpenIDLogin.py Sat Nov 17 00:49:08 2007 +0000
+++ b/WebStack/Resources/OpenIDLogin.py Sat Nov 17 02:05:17 2007 +0000
@@ -26,6 +26,7 @@
import datetime
import time
import random
+import cgi # for escape
class OpenIDLoginResource:
@@ -34,7 +35,7 @@
encoding = "utf-8"
openid_ns = "http://specs.openid.net/auth/2.0"
- def __init__(self, app_url, authenticator, associations=None, use_redirect=1, urlencoding=None, encoding=None):
+ def __init__(self, app_url, authenticator, associations=None, use_redirect=0, urlencoding=None, encoding=None):
"""
Initialise the resource with the application URL 'app_url' and an
@@ -73,16 +74,17 @@
fields = trans.get_fields(self.encoding)
+ app = fields.get("openid.return_to", [""])[0]
+ claimed_id = fields.get("openid.claimed_id", [""])[0]
+ local_id = fields.get("openid.identity", [""])[0]
+
if fields.has_key("login"):
# Check a combination of local identifier and username together with
# the password.
- claimed_id = fields.get("claimed_id", [""])[0]
- local_id = fields.get("local_id", [""])[0]
username = fields.get("username", [""])[0]
password = fields.get("password", [""])[0]
- app = fields.get("app", [""])[0]
# NOTE: Permit flexibility in the credentials.
@@ -112,10 +114,6 @@
# Otherwise, show the login form.
- app = fields.get("openid.return_to", [""])[0]
- claimed_id = fields.get("openid.claimed_id", [""])[0]
- local_id = fields.get("openid.identity", [""])[0]
-
self.show_login(trans, app, claimed_id, local_id)
def _redirect(self, trans, claimed_id, local_id, username, app):
@@ -204,7 +202,7 @@
trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding))
out = trans.get_response_stream()
- out.write(self.login_page % (app, claimed_id, local_id))
+ out.write(self.login_page % tuple(map(cgi.escape, (app, claimed_id, local_id))))
def show_success(self, trans, app, mode, signed_names, signature, fields):
@@ -221,7 +219,10 @@
l = []
for name, value in fields.items():
l.append("""""" % (name, value[0]))
- out.write(self.success_page % (app, self.openid_ns, mode, ",".join(signed_names), signature, "\n".join(l)))
+ args = tuple(
+ map(cgi.escape, (app, self.openid_ns, mode, ",".join(signed_names), signature))
+ ) + ("\n".join(l),)
+ out.write(self.success_page % args)
login_page = """
@@ -234,9 +235,9 @@
Username:
Password:
-
-
-
+
+
+