X-Git-Url: http://git.ithinksw.org/philo.git/blobdiff_plain/3105e851ce4d7d426b3cffbd601c5b4e12075b41..dbfa7041eadc465c1aaddac3fca41624cbed852d:/validators.py?ds=inline diff --git a/validators.py b/validators.py index 106db8b..8b39abd 100644 --- a/validators.py +++ b/validators.py @@ -1,15 +1,17 @@ from django.utils.translation import ugettext_lazy as _ from django.core.validators import RegexValidator from django.core.exceptions import ValidationError +from django.template import Template, Parser, Lexer, TOKEN_BLOCK, TOKEN_VAR, TemplateSyntaxError from django.utils import simplejson as json import re +from philo.utils import LOADED_TEMPLATE_ATTR -LOADED_TEMPLATE_ATTR = '_philo_loaded_template' INSECURE_TAGS = ( 'load', 'extends', 'include', + 'debug', ) @@ -43,11 +45,8 @@ class URLLinkValidator(RegexValidator): def json_validator(value): try: json.loads(value) - except: - raise ValidationError(u'\'%s\' is not valid JSON' % value) - - -from django.template import Template, Parser, Lexer, TOKEN_BLOCK + except Exception, e: + raise ValidationError(u'JSON decode error: %s' % e) class TemplateValidationParser(Parser): @@ -59,7 +58,7 @@ class TemplateValidationParser(Parser): if secure: disallow |= set(INSECURE_TAGS) - self.allow, self.disallow = allow, disallow + self.allow, self.disallow, self.secure = allow, disallow, secure def parse(self, parse_until=None): if parse_until is None: @@ -112,7 +111,9 @@ class TemplateValidationParser(Parser): return nodelist def disallowed_tag(self, command): - raise ValidationError("Tag not allowed: %s" % command) + if self.secure and command in INSECURE_TAGS: + raise ValidationError('Tag "%s" is not permitted for security reasons.' % command) + raise ValidationError('Tag "%s" is not permitted here.' % command) class TemplateValidator(object):