From a57544db1d096a566fa3da09cf29fdca523b50b7 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Tue, 22 Sep 2015 16:17:53 +0800 Subject: [PATCH 1/7] =?UTF-8?q?=E5=8F=AA=E6=9C=89=E7=AE=A1=E7=90=86?= =?UTF-8?q?=E5=91=98=E6=89=8D=E8=83=BD=E6=9F=A5=E7=9C=8B=E6=89=80=E6=9C=89?= =?UTF-8?q?=E4=BA=BA=E7=9A=84=E6=8F=90=E4=BA=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- submission/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/submission/views.py b/submission/views.py index c0487e51..05dbd1ed 100644 --- a/submission/views.py +++ b/submission/views.py @@ -162,7 +162,7 @@ def my_submission_list_page(request, page=1): 我的所有提交的列表页 """ # 显示所有人的提交 这是管理员的调试功能 - show_all = request.GET.get("show_all", False) == "true" + show_all = request.GET.get("show_all", False) == "true" and request.user.admin_type == SUPER_ADMIN if show_all: submissions = Submission.objects.filter(contest_id__isnull=True) else: From 172d45eb78092f8a2f229af7e2a7eb3c4201042d Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Tue, 22 Sep 2015 16:18:32 +0800 Subject: [PATCH 2/7] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=88=A4=E6=96=AD?= =?UTF-8?q?=E7=AE=A1=E7=90=86=E5=91=98=E6=9D=83=E9=99=90=E7=9A=84=20decora?= =?UTF-8?q?tor?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- account/decorators.py | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/account/decorators.py b/account/decorators.py index 4113dd01..1181c6a5 100644 --- a/account/decorators.py +++ b/account/decorators.py @@ -4,7 +4,7 @@ from django.http import HttpResponse, HttpResponseRedirect from django.shortcuts import render from utils.shortcuts import error_response, error_page -from .models import User +from .models import User, SUPER_ADMIN def login_required(func): @@ -12,7 +12,10 @@ def login_required(func): def check(*args, **kwargs): # 在class based views 里面,args 有两个元素,一个是self, 第二个才是request, # 在function based views 里面,args 只有request 一个参数 - request = args[-1] + if len(args) == 2: + request = args[-1] + else: + request = args[0] if request.user.is_authenticated(): return func(*args, **kwargs) if request.is_ajax(): @@ -25,7 +28,10 @@ def login_required(func): def admin_required(func): @wraps(func) def check(*args, **kwargs): - request = args[-1] + if len(args) == 2: + request = args[-1] + else: + request = args[0] if request.user.is_authenticated() and request.user.admin_type: return func(*args, **kwargs) if request.is_ajax(): @@ -33,3 +39,20 @@ def admin_required(func): else: return error_page(request, u"需要管理员权限,如果没有登录,请先登录") return check + + +def super_admin_required(func): + @wraps(func) + def check(*args, **kwargs): + if len(args) == 2: + request = args[-1] + else: + request = args[0] + if request.user.is_authenticated() and request.user.admin_type == SUPER_ADMIN: + return func(*args, **kwargs) + if request.is_ajax(): + return error_response(u"需要超级管理员权限") + else: + return error_page(request, u"需要超级管理员权限") + + return check \ No newline at end of file From 707e38ac79e0260a60c7a8d1b23a2282fc924797 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Tue, 22 Sep 2015 16:19:08 +0800 Subject: [PATCH 3/7] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E9=83=A8=E5=88=86?= =?UTF-8?q?=E6=B3=A8=E9=87=8A=EF=BC=8C=E4=BF=AE=E8=A1=A5=E9=83=A8=E5=88=86?= =?UTF-8?q?=E6=B2=A1=E6=9C=89=E5=88=A4=E6=96=AD=E6=9D=83=E9=99=90=E7=9A=84?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- problem/decorators.py | 28 ++++++++++++++++++++++++++ problem/views.py | 46 ++++++++++++++++++++++++++++++++----------- 2 files changed, 62 insertions(+), 12 deletions(-) create mode 100644 problem/decorators.py diff --git a/problem/decorators.py b/problem/decorators.py new file mode 100644 index 00000000..762c54a7 --- /dev/null +++ b/problem/decorators.py @@ -0,0 +1,28 @@ +# coding=utf-8 +from functools import wraps + +from account.models import SUPER_ADMIN +from utils.shortcuts import error_response +from .models import Problem + + +def check_user_problem_permission(func): + @wraps(func) + def check(*args, **kwargs): + # 在class based views 里面,args 有两个元素,一个是self, 第二个才是request, + # 在function based views 里面,args 只有request 一个参数 + if len(args) == 2: + request = args[-1] + else: + request = args[0] + + # 这是在后台使用的url middleware 已经确保用户是登录状态的了 + if request.user.admin_type == SUPER_ADMIN: + return func(*args, **kwargs) + try: + Problem.objects.get(id=request.data.get("problem_id", -1), created_by=request.user) + except Problem.DoesNotExist: + return error_response(u"问题不存在") + return func(*args, **kwargs) + + return check diff --git a/problem/views.py b/problem/views.py index dbe125ad..8dc42d63 100644 --- a/problem/views.py +++ b/problem/views.py @@ -4,6 +4,7 @@ import re import os import hashlib import json +import logging from django.shortcuts import render from django.db.models import Q, Count @@ -13,19 +14,23 @@ from rest_framework.views import APIView from django.conf import settings - -from announcement.models import Announcement +from account.models import SUPER_ADMIN +from account.decorators import super_admin_required from utils.shortcuts import (serializer_invalid_response, error_response, success_response, paginate, rand_str, error_page) from .serizalizers import (CreateProblemSerializer, EditProblemSerializer, ProblemSerializer, ProblemTagSerializer, CreateProblemTagSerializer) from .models import Problem, ProblemTag -import logging +from .decorators import check_user_problem_permission + logger = logging.getLogger("app_info") def problem_page(request, problem_id): + """ + 前台题目详情页 + """ try: problem = Problem.objects.get(id=problem_id, visible=True) except Problem.DoesNotExist: @@ -34,11 +39,15 @@ def problem_page(request, problem_id): class ProblemTagAdminAPIView(APIView): + """ + 获取所有标签的列表 + """ def get(self, request): return success_response(ProblemTagSerializer(ProblemTag.objects.all(), many=True).data) class ProblemAdminAPIView(APIView): + @super_admin_required def post(self, request): """ 题目发布json api接口 @@ -72,6 +81,7 @@ class ProblemAdminAPIView(APIView): else: return serializer_invalid_response(serializer) + @check_user_problem_permission def put(self, request): """ 题目编辑json api接口 @@ -82,11 +92,7 @@ class ProblemAdminAPIView(APIView): serializer = EditProblemSerializer(data=request.data) if serializer.is_valid(): data = serializer.data - try: - problem = Problem.objects.get(id=data["id"]) - except Problem.DoesNotExist: - return error_response(u"该题目不存在!") - + problem = Problem.objects.get(id=data["id"]) problem.title = data["title"] problem.description = data["description"] problem.input_description = data["input_description"] @@ -123,23 +129,36 @@ class ProblemAdminAPIView(APIView): problem_id = request.GET.get("problem_id", None) if problem_id: try: + # 普通管理员只能获取自己创建的题目 + # 超级管理员可以获取全部的题目 problem = Problem.objects.get(id=problem_id) + if request.user.admin_type != SUPER_ADMIN: + problem = problem.get(created_by=request.user) return success_response(ProblemSerializer(problem).data) except Problem.DoesNotExist: return error_response(u"题目不存在") - problem = Problem.objects.all().order_by("-create_time") + + # 获取问题列表 + problems = Problem.objects.all().order_by("-create_time") + + if request.user.admin_type != SUPER_ADMIN: + problems = problems.filter(created_by=request.user) + visible = request.GET.get("visible", None) if visible: - problem = problem.filter(visible=(visible == "true")) + problems = problems.filter(visible=(visible == "true")) keyword = request.GET.get("keyword", None) if keyword: - problem = problem.filter(Q(title__contains=keyword) | + problems = problems.filter(Q(title__contains=keyword) | Q(description__contains=keyword)) - return paginate(request, problem, ProblemSerializer) + return paginate(request, problems, ProblemSerializer) class TestCaseUploadAPIView(APIView): + """ + 上传题目的测试用例 + """ def _is_legal_test_case_file_name(self, file_name): # 正整数开头的 .in 或者.out 结尾的 regex = r"^[1-9]\d*\.(in|out)$" @@ -237,6 +256,9 @@ class TestCaseUploadAPIView(APIView): def problem_list_page(request, page=1): + """ + 前台的问题列表 + """ # 正常情况 problems = Problem.objects.filter(visible=True) From 389c1905a6f4dd1a75c3e4d6ed901ad332cb1188 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Tue, 22 Sep 2015 16:19:40 +0800 Subject: [PATCH 4/7] =?UTF-8?q?=E4=BF=AE=E8=A1=A5=E9=83=A8=E5=88=86?= =?UTF-8?q?=E6=B2=A1=E6=9C=89=E5=88=A4=E6=96=AD=E6=AF=94=E8=B5=9B=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=9A=84=E9=97=AE=E9=A2=98=EF=BC=9B=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E6=AF=94=E8=B5=9B=E8=B0=83=E8=AF=95=E6=A8=A1=E5=BC=8F=E7=9A=84?= =?UTF-8?q?=E9=A1=B5=E9=9D=A2=E6=8F=90=E7=A4=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- contest/views.py | 60 ++++++++++++-------- template/src/oj/contest/contest_problem.html | 4 +- 2 files changed, 37 insertions(+), 27 deletions(-) diff --git a/contest/views.py b/contest/views.py index 1869bb5f..8e0a2ac4 100644 --- a/contest/views.py +++ b/contest/views.py @@ -16,7 +16,7 @@ from utils.shortcuts import (serializer_invalid_response, error_response, from account.models import SUPER_ADMIN, User from account.decorators import login_required from group.models import Group -from .models import Contest, ContestProblem, ContestSubmission +from .models import Contest, ContestProblem, ContestSubmission, CONTEST_ENDED, CONTEST_NOT_START, CONTEST_UNDERWAY from .models import GROUP_CONTEST, PUBLIC_CONTEST, PASSWORD_PROTECTED_CONTEST from .decorators import check_user_contest_permission from .serializers import (CreateContestSerializer, ContestSerializer, EditContestSerializer, @@ -45,10 +45,10 @@ class ContestAdminAPIView(APIView): if data["contest_type"] in [PUBLIC_CONTEST, PASSWORD_PROTECTED_CONTEST]: if request.user.admin_type != SUPER_ADMIN: return error_response(u"只有超级管理员才可创建公开赛") + if data["contest_type"] == PASSWORD_PROTECTED_CONTEST: if not data["password"]: return error_response(u"此比赛为有密码的公开赛,密码不可为空") - # 没有密码的公开赛 没有密码的小组赛 elif data["contest_type"] == GROUP_CONTEST: if request.user.admin_type == SUPER_ADMIN: @@ -58,7 +58,7 @@ class ContestAdminAPIView(APIView): if not groups.count(): return error_response(u"请至少选择一个小组") if data["start_time"] >= data["end_time"]: - return error_response(u"比赛的开始时间不能晚于或等于比赛结束的时间") + return error_response(u"比赛的开始时间必须早于比赛结束的时间") try: contest = Contest.objects.create(title=data["title"], description=data["description"], mode=data["mode"], contest_type=data["contest_type"], @@ -86,7 +86,10 @@ class ContestAdminAPIView(APIView): data = serializer.data groups = [] try: + # 超级管理员可以编辑所有的 contest = Contest.objects.get(id=data["id"]) + if request.user.admin_type != SUPER_ADMIN: + contest = contest.get(created_by=request.user) except Contest.DoesNotExist: return error_response(u"该比赛不存在!") try: @@ -109,9 +112,8 @@ class ContestAdminAPIView(APIView): if not groups.count(): return error_response(u"请至少选择一个小组") if data["start_time"] >= data["end_time"]: - return error_response(u"比赛的开始时间不能晚于或等于比赛结束的时间") - if request.user.admin_type != SUPER_ADMIN and request.user != contest.created_by: - return error_response(u"你无权修改该比赛!") + return error_response(u"比赛的开始时间必须早于比赛结束的时间") + contest.title = data["title"] contest.description = data["description"] contest.mode = data["mode"] @@ -163,6 +165,8 @@ class ContestProblemAdminAPIView(APIView): data = serializer.data try: contest = Contest.objects.get(id=data["contest_id"]) + if request.user.admin_type != SUPER_ADMIN: + contest = contest.get(created_by=request.user) except Contest.DoesNotExist: return error_response(u"比赛不存在") contest_problem = ContestProblem.objects.create(title=data["title"], @@ -199,7 +203,7 @@ class ContestProblemAdminAPIView(APIView): return error_response(u"该比赛题目不存在!") contest = Contest.objects.get(id=contest_problem.contest_id) if request.user.admin_type != SUPER_ADMIN and contest.created_by != request.user: - return error_response(u"你无权修改该题目!") + return error_response(u"比赛不存在") contest_problem.title = data["title"] contest_problem.description = data["description"] contest_problem.input_description = data["input_description"] @@ -227,29 +231,27 @@ class ContestProblemAdminAPIView(APIView): if contest_problem_id: try: contest_problem = ContestProblem.objects.get(id=contest_problem_id) + if request.user.admin_type != SUPER_ADMIN: + contest_problem = contest_problem.get(created_by=request.user) return success_response(ContestProblemSerializer(contest_problem).data) except ContestProblem.DoesNotExist: return error_response(u"比赛题目不存在") - if request.user.admin_type == SUPER_ADMIN: - contest_problem = ContestProblem.objects.all().order_by("sort_index") - else: - contest_problem = ContestProblem.objects.filter(created_by=request.user).order_by("sort_index") + + contest_problems = ContestProblem.objects.all().order_by("sort_index") + if request.user.admin_type != SUPER_ADMIN: + contest_problems = contest_problems.filter(created_by=request.user).order_by("sort_index") visible = request.GET.get("visible", None) if visible: - contest_problem = contest_problem.filter(visible=(visible == "true")) + contest_problems = contest_problems.filter(visible=(visible == "true")) keyword = request.GET.get("keyword", None) if keyword: - contest_problem = contest_problem.filter(Q(title__contains=keyword) | + contest_problems = contest_problems.filter(Q(title__contains=keyword) | Q(description__contains=keyword)) contest_id = request.GET.get("contest_id", None) if contest_id: - try: - contest = Contest.objects.get(id=contest_id) - except Contest.DoesNotExist: - return error_response(u"该比赛不存在!") - contest_problem = contest_problem.filter(contest=contest).order_by("sort_index") + contest_problem = contest_problems.filter(contest__id=contest_id).order_by("sort_index") - return paginate(request, contest_problem, ContestProblemSerializer) + return paginate(request, contest_problems, ContestProblemSerializer) class ContestPasswordVerifyAPIView(APIView): @@ -306,12 +308,23 @@ def contest_problem_page(request, contest_id, contest_problem_id): pass # 已经结束 - if contest.status == -1: + if contest.status == CONTEST_ENDED: show_warning = True warning = u"比赛已经结束" + elif contest.status == CONTEST_NOT_START: + show_warning = True + warning = u"比赛没有开始,您是管理员,可以提交和测试题目,但是目前的提交不会计入排名。" + + show_submit_code_area = False + if contest.status == CONTEST_UNDERWAY: + show_submit_code_area = True + if request.user.admin_type == SUPER_ADMIN or request.user == contest.created_by: + show_submit_code_area = True + return render(request, "oj/contest/contest_problem.html", {"contest_problem": contest_problem, "contest": contest, "samples": json.loads(contest_problem.samples), - "show_warning": show_warning, "warning": warning}) + "show_warning": show_warning, "warning": warning, + "show_submit_code_area": show_submit_code_area}) @check_user_contest_permission @@ -319,10 +332,7 @@ def contest_problems_list_page(request, contest_id): """ 比赛所有题目的列表页 """ - try: - contest = Contest.objects.get(id=contest_id) - except Contest.DoesNotExist: - return error_page(request, u"比赛不存在") + contest = Contest.objects.get(id=contest_id) contest_problems = ContestProblem.objects.filter(contest=contest).order_by("sort_index") submissions = ContestSubmission.objects.filter(user=request.user, contest=contest) state = {} diff --git a/template/src/oj/contest/contest_problem.html b/template/src/oj/contest/contest_problem.html index 64cff29a..0b07c566 100644 --- a/template/src/oj/contest/contest_problem.html +++ b/template/src/oj/contest/contest_problem.html @@ -60,7 +60,7 @@
{{ contest_problem.hint|safe }}
{% endif %} - {% ifequal contest.status 0 %} + {% if show_submit_code_area %}
@@ -86,7 +86,7 @@
- {% endifequal %} + {% endif %} {% if show_warning %} {% endif %} From b224a823fe7dc87ed9ad3aa6e3787c3283d13e65 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Tue, 22 Sep 2015 16:26:42 +0800 Subject: [PATCH 5/7] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=20demo=20=E7=BD=91?= =?UTF-8?q?=E5=9D=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cdf478d7..d3e2a57d 100644 --- a/README.md +++ b/README.md @@ -4,11 +4,12 @@ 文档:https://www.zybuluo.com/virusdefender/note/171932 +demo: https://qduoj.com + TODO: - 完善文档,目前还差很多 - 完善测试 - - 搭建 demo 站点 ![oj_previewindex.png][1] From c26fd6734d1dd9f249582c38acf0a79ad3075f98 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Tue, 22 Sep 2015 17:03:53 +0800 Subject: [PATCH 6/7] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=AF=8C=E6=96=87?= =?UTF-8?q?=E6=9C=AC=E7=9A=84=20xss=20=E8=BF=87=E6=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../migrations/0003_auto_20150922_1703.py | 20 ++ announcement/models.py | 3 +- contest/migrations/0010_auto_20150922_1703.py | 25 +++ contest/models.py | 4 +- problem/migrations/0008_auto_20150922_1702.py | 20 ++ problem/models.py | 3 +- utils/models.py | 14 ++ utils/xss_filter.py | 202 ++++++++++++++++++ 8 files changed, 288 insertions(+), 3 deletions(-) create mode 100644 announcement/migrations/0003_auto_20150922_1703.py create mode 100644 contest/migrations/0010_auto_20150922_1703.py create mode 100644 problem/migrations/0008_auto_20150922_1702.py create mode 100644 utils/models.py create mode 100644 utils/xss_filter.py diff --git a/announcement/migrations/0003_auto_20150922_1703.py b/announcement/migrations/0003_auto_20150922_1703.py new file mode 100644 index 00000000..4019377d --- /dev/null +++ b/announcement/migrations/0003_auto_20150922_1703.py @@ -0,0 +1,20 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import models, migrations +import utils.models + + +class Migration(migrations.Migration): + + dependencies = [ + ('announcement', '0002_auto_20150818_1445'), + ] + + operations = [ + migrations.AlterField( + model_name='announcement', + name='content', + field=utils.models.RichTextField(), + ), + ] diff --git a/announcement/models.py b/announcement/models.py index c3267f12..7442721a 100644 --- a/announcement/models.py +++ b/announcement/models.py @@ -3,13 +3,14 @@ from django.db import models from account.models import User from group.models import Group +from utils.models import RichTextField class Announcement(models.Model): # 标题 title = models.CharField(max_length=50) # 公告的内容 HTML 格式 - content = models.TextField() + content = RichTextField() # 创建时间 create_time = models.DateTimeField(auto_now_add=True) # 这个公告是谁创建的 diff --git a/contest/migrations/0010_auto_20150922_1703.py b/contest/migrations/0010_auto_20150922_1703.py new file mode 100644 index 00000000..1a1609e5 --- /dev/null +++ b/contest/migrations/0010_auto_20150922_1703.py @@ -0,0 +1,25 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import models, migrations +import utils.models + + +class Migration(migrations.Migration): + + dependencies = [ + ('contest', '0009_contestsubmission_first_achieved'), + ] + + operations = [ + migrations.AlterField( + model_name='contest', + name='description', + field=utils.models.RichTextField(), + ), + migrations.AlterField( + model_name='contestproblem', + name='description', + field=utils.models.RichTextField(), + ), + ] diff --git a/contest/models.py b/contest/models.py index a54619eb..5786958c 100644 --- a/contest/models.py +++ b/contest/models.py @@ -5,6 +5,8 @@ from django.utils.timezone import now from account.models import User from problem.models import AbstractProblem from group.models import Group +from utils.models import RichTextField + GROUP_CONTEST = 0 PUBLIC_CONTEST = 1 @@ -17,7 +19,7 @@ CONTEST_UNDERWAY = 0 class Contest(models.Model): title = models.CharField(max_length=40, unique=True) - description = models.TextField() + description = RichTextField() # 比赛模式:0 即为是acm模式,1 即为是按照总的 ac 题目数量排名模式 mode = models.IntegerField() # 是否显示实时排名结果 diff --git a/problem/migrations/0008_auto_20150922_1702.py b/problem/migrations/0008_auto_20150922_1702.py new file mode 100644 index 00000000..ae499a0f --- /dev/null +++ b/problem/migrations/0008_auto_20150922_1702.py @@ -0,0 +1,20 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import models, migrations +import utils.models + + +class Migration(migrations.Migration): + + dependencies = [ + ('problem', '0007_remove_problem_last_update_time'), + ] + + operations = [ + migrations.AlterField( + model_name='problem', + name='description', + field=utils.models.RichTextField(), + ), + ] diff --git a/problem/models.py b/problem/models.py index dbc886b6..adb7dd4d 100644 --- a/problem/models.py +++ b/problem/models.py @@ -2,6 +2,7 @@ from django.db import models from account.models import User +from utils.models import RichTextField class ProblemTag(models.Model): @@ -15,7 +16,7 @@ class AbstractProblem(models.Model): # 标题 title = models.CharField(max_length=50) # 问题描述 HTML 格式 - description = models.TextField() + description = RichTextField() # 输入描述 input_description = models.CharField(max_length=10000) # 输出描述 diff --git a/utils/models.py b/utils/models.py new file mode 100644 index 00000000..f9844903 --- /dev/null +++ b/utils/models.py @@ -0,0 +1,14 @@ +# coding=utf-8 +from django.db import models + +from utils.xss_filter import XssHtml + + +class RichTextField(models.TextField): + __metaclass__ = models.SubfieldBase + + def get_prep_value(self, value): + parser = XssHtml() + parser.feed(value) + parser.close() + return parser.getHtml() \ No newline at end of file diff --git a/utils/xss_filter.py b/utils/xss_filter.py new file mode 100644 index 00000000..825fbc97 --- /dev/null +++ b/utils/xss_filter.py @@ -0,0 +1,202 @@ +# -*- coding: utf-8 -*- +""" +Python 富文本XSS过滤类 +@package XssHtml +@version 0.1 +@link http://phith0n.github.io/python-xss-filter +@since 20150407 +@copyright (c) Phithon All Rights Reserved + +Based on native Python module HTMLParser purifier of HTML, To Clear all javascript in html +You can use it in all python web framework +Written by Phithon in 2015 and placed in the public domain. +phithon 编写于20150407 +From: XDSEC & 离别歌 +GitHub Pages: https://github.com/phith0n/python-xss-filter +Usage: + parser = XssHtml() + parser.feed('') + parser.close() + html = parser.getHtml() + print html + +Requirements +Python 2.6+ or 3.2+ +Cannot defense xss in browser which is belowed IE7 +浏览器版本:IE7+ 或其他浏览器,无法防御IE6及以下版本浏览器中的XSS +""" +import re + +try: + from html.parser import HTMLParser +except: + from HTMLParser import HTMLParser + + +class XssHtml(HTMLParser): + allow_tags = ['a', 'img', 'br', 'strong', 'b', 'code', 'pre', + 'p', 'div', 'em', 'span', 'h1', 'h2', 'h3', 'h4', + 'h5', 'h6', 'blockquote', 'ul', 'ol', 'tr', 'th', 'td', + 'hr', 'li', 'u', 'embed', 's', 'table', 'thead', 'tbody', + 'caption', 'small', 'q', 'sup', 'sub'] + common_attrs = ["style", "class", "name"] + nonend_tags = ["img", "hr", "br", "embed"] + tags_own_attrs = { + "img": ["src", "width", "height", "alt", "align"], + "a": ["href", "target", "rel", "title"], + "embed": ["src", "width", "height", "type", "allowfullscreen", "loop", "play", "wmode", "menu"], + "table": ["border", "cellpadding", "cellspacing"], + } + + def __init__(self, allows=[]): + HTMLParser.__init__(self) + self.allow_tags = allows if allows else self.allow_tags + self.result = [] + self.start = [] + self.data = [] + + def getHtml(self): + """ + Get the safe html code + """ + for i in range(0, len(self.result)): + tmp = self.result[i].rstrip('\n') + tmp = tmp.lstrip('\n') + if tmp: + self.data.append(tmp) + return ''.join(self.data) + + def handle_startendtag(self, tag, attrs): + self.handle_starttag(tag, attrs) + + def handle_starttag(self, tag, attrs): + if tag not in self.allow_tags: + return + end_diagonal = ' /' if tag in self.nonend_tags else '' + if not end_diagonal: + self.start.append(tag) + attdict = {} + for attr in attrs: + attdict[attr[0]] = attr[1] + + attdict = self._wash_attr(attdict, tag) + if hasattr(self, "node_%s" % tag): + attdict = getattr(self, "node_%s" % tag)(attdict) + else: + attdict = self.node_default(attdict) + + attrs = [] + for (key, value) in attdict.items(): + attrs.append('%s="%s"' % (key, self._htmlspecialchars(value))) + attrs = (' ' + ' '.join(attrs)) if attrs else '' + self.result.append('<' + tag + attrs + end_diagonal + '>') + + def handle_endtag(self, tag): + if self.start and tag == self.start[len(self.start) - 1]: + self.result.append('') + self.start.pop() + + def handle_data(self, data): + self.result.append(self._htmlspecialchars(data)) + + def handle_entityref(self, name): + if name.isalpha(): + self.result.append("&%s;" % name) + + def handle_charref(self, name): + if name.isdigit(): + self.result.append("&#%s;" % name) + + def node_default(self, attrs): + attrs = self._common_attr(attrs) + return attrs + + def node_a(self, attrs): + attrs = self._common_attr(attrs) + attrs = self._get_link(attrs, "href") + attrs = self._set_attr_default(attrs, "target", "_blank") + attrs = self._limit_attr(attrs, { + "target": ["_blank", "_self"] + }) + return attrs + + def node_embed(self, attrs): + attrs = self._common_attr(attrs) + attrs = self._get_link(attrs, "src") + attrs = self._limit_attr(attrs, { + "type": ["application/x-shockwave-flash"], + "wmode": ["transparent", "window", "opaque"], + "play": ["true", "false"], + "loop": ["true", "false"], + "menu": ["true", "false"], + "allowfullscreen": ["true", "false"] + }) + attrs["allowscriptaccess"] = "never" + attrs["allownetworking"] = "none" + return attrs + + def _true_url(self, url): + prog = re.compile(r"^(http|https|ftp)://.+", re.I | re.S) + if prog.match(url): + return url + else: + return "http://%s" % url + + def _true_style(self, style): + if style: + style = re.sub(r"(\\|&#|/\*|\*/)", "_", style) + style = re.sub(r"e.*x.*p.*r.*e.*s.*s.*i.*o.*n", "_", style) + return style + + def _get_style(self, attrs): + if "style" in attrs: + attrs["style"] = self._true_style(attrs.get("style")) + return attrs + + def _get_link(self, attrs, name): + if name in attrs: + attrs[name] = self._true_url(attrs[name]) + return attrs + + def _wash_attr(self, attrs, tag): + if tag in self.tags_own_attrs: + other = self.tags_own_attrs.get(tag) + else: + other = [] + if attrs: + for (key, value) in attrs.items(): + if key not in self.common_attrs + other: + del attrs[key] + return attrs + + def _common_attr(self, attrs): + attrs = self._get_style(attrs) + return attrs + + def _set_attr_default(self, attrs, name, default=''): + if name not in attrs: + attrs[name] = default + return attrs + + def _limit_attr(self, attrs, limit={}): + for (key, value) in limit.items(): + if key in attrs and attrs[key] not in value: + del attrs[key] + return attrs + + def _htmlspecialchars(self, html): + return html.replace("<", "<") \ + .replace(">", ">") \ + .replace('"', """) \ + .replace("'", "'") + + +if "__main__" == __name__: + parser = XssHtml() + parser.feed("""

+
hehe
+

>M + MM

+ """) + parser.close() + print(parser.getHtml()) From 5c334a4ed3fff3399cce66eace02f83e34ce99d0 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Tue, 22 Sep 2015 18:52:15 +0800 Subject: [PATCH 7/7] add oj text logo --- oj/__init__.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/oj/__init__.py b/oj/__init__.py index e69de29b..c19c0794 100644 --- a/oj/__init__.py +++ b/oj/__init__.py @@ -0,0 +1,9 @@ +""" + ___ _ _ __ _ _ _ + /___\ _ __ | |(_) _ __ ___ \ \ _ _ __| | __ _ ___ | |__ _ _ __ _ __| | _ _ + // //| '_ \ | || || '_ \ / _ \ \ \| | | | / _` | / _` | / _ \ | '_ \ | | | | / _` | / _` || | | | +/ \_// | | | || || || | | || __/ /\_/ /| |_| || (_| || (_| || __/ | |_) || |_| | | (_| || (_| || |_| | +\___/ |_| |_||_||_||_| |_| \___| \___/ \__,_| \__,_| \__, | \___| |_.__/ \__, | \__, | \__,_| \__,_| + |___/ |___/ |_| +https://github.com/QingdaoU/OnlineJudge +""" \ No newline at end of file