PracticalActivity_Lesson08_FlorentinPopescu

main.py

@@ -1,17 +1,38 @@
+""" script main.py """
+
+# imports
 import os
 import base64
+import html
+import random
 
-from flask import Flask, request
-from model import Message 
+from peewee import IntegrityError
+from werkzeug.exceptions import HTTPException
+from flask import Flask, request, session
+from model import Message
+# -------------------------------------------
 
-app = Flask(__name__)
+APP = Flask(__name__)
+APP.secret_key = b"\xe0\x95\xf2`W8'X,2\xfc\x88Z\x8c\x97\xad~1\xd8k\xbb\xaf\xd7\xab"
+#APP.secret_key = os.environ.get('SECRET_KEY').encode()
+# -------------------------------------------
 
-@app.route('/', methods=['GET', 'POST'])
+@APP.route("/", methods=["GET", "POST"])
 def home():
+    """ home """
+    if "csrf_token" not in session:
+        session["csrf_token"] = str(random.randint(10000000, 99999999))
 
-    if request.method == 'POST':
-        m = Message(content=request.form['content'])
-        m.save()
+    if request.method == "POST":
+        if request.form.get("csrf_token", None) == session["csrf_token"]:
+            try:
+                msg = Message(content=request.form["content"])
+                msg.save()
+            except (HTTPException, IntegrityError) as err:
+                print("no message inserted: ", err)
+        else:
+            raise RuntimeError("Possible CSRF attack")
+    # -------------------------------------------
 
     body = """
 <html>
@@ -20,23 +41,28 @@ def home():
 <h2>Contribute to the Knowledge of Others</h2>
 <form method="POST">
     <textarea name="content"></textarea>
+    <input type="hidden" name="csrf_token" value="{}">
     <input type="submit" value="Submit">
 </form>
 
 <h2>Wisdom From Your Fellow Classmates</h2>
-"""
-
-    for m in Message.select():
+""".format(session["csrf_token"])
+    # -------------------------------------------
+
+    for msg in Message.select():
         body += """
 <div class="message">
 {}
 </div>
-""".format(m.content)
+""".format(html.escape(msg.content.strip(), quote=True))
 
-    return body 
+    # format(msg.content.replace("<", "&lt;").replace(">", "&gt;")
+    #           .replace("&", "&amp;")).replace("'", "&#x27"))
+    #           .replace ('"', "&quot;"))
+    return body
 
 
+# ===========================================
 if __name__ == "__main__":
-    port = int(os.environ.get("PORT", 6738))
-    app.run(host='0.0.0.0', port=port)
-
+    PORT = int(os.environ.get("PORT", 6738))
+    APP.run(host="0.0.0.0", port=PORT)

model.py

@@ -1,12 +1,19 @@
+""" script model.py """
+
+# imports
 import os
 
-from peewee import Model, CharField, IntegerField
+from peewee import Model, CharField
 from playhouse.db_url import connect
 
-db = connect(os.environ.get('DATABASE_URL', 'sqlite:///my_database.db'))
+# database connect
+DB = connect(os.environ.get('DATABASE_URL', 'sqlite:///my_database.db'))
+
 
 class Message(Model):
+    """ mesage class """
     content = CharField(max_length=1024, unique=True)
 
     class Meta:
-        database = db
+        """ mata class """
+        database = DB

requirements.txt

@@ -4,4 +4,4 @@ itsdangerous==0.24
 Jinja2==2.10
 MarkupSafe==1.0
 peewee==3.3.4
-Werkzeug==0.14.1
+Werkzeug==0.14.1

setup.py

@@ -1,4 +1,6 @@
-from model import db, Message 
+""" script setup.py """
 
-db.connect()
-db.create_tables([Message])
+from model import DB, Message 
+
+DB.connect()
+DB.create_tables([Message])

xss_example/Lib/site-packages/Flask-1.0.2.dist-info/INSTALLER

@@ -0,0 +1 @@
+pip

xss_example/Lib/site-packages/Flask-1.0.2.dist-info/LICENSE.txt

@@ -0,0 +1,31 @@
+Copyright © 2010 by the Pallets team.
+
+Some rights reserved.
+
+Redistribution and use in source and binary forms of the software as
+well as documentation, with or without modification, are permitted
+provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice,
+  this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE AND DOCUMENTATION IS PROVIDED BY THE COPYRIGHT HOLDERS AND
+CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
+BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE AND DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.

xss_example/Lib/site-packages/Flask-1.0.2.dist-info/METADATA

@@ -0,0 +1,130 @@
+Metadata-Version: 2.1
+Name: Flask
+Version: 1.0.2
+Summary: A simple framework for building complex web applications.
+Home-page: https://www.palletsprojects.com/p/flask/
+Author: Armin Ronacher
+Author-email: armin.ronacher@active-4.com
+Maintainer: Pallets team
+Maintainer-email: contact@palletsprojects.com
+License: BSD
+Project-URL: Documentation, http://flask.pocoo.org/docs/
+Project-URL: Code, https://github.com/pallets/flask
+Project-URL: Issue tracker, https://github.com/pallets/flask/issues
+Platform: any
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Web Environment
+Classifier: Framework :: Flask
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: BSD License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 2
+Classifier: Programming Language :: Python :: 2.7
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.4
+Classifier: Programming Language :: Python :: 3.5
+Classifier: Programming Language :: Python :: 3.6
+Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
+Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Provides-Extra: dev
+Provides-Extra: docs
+Provides-Extra: dotenv
+Requires-Dist: Werkzeug (>=0.14)
+Requires-Dist: Jinja2 (>=2.10)
+Requires-Dist: itsdangerous (>=0.24)
+Requires-Dist: click (>=5.1)
+Provides-Extra: dev
+Requires-Dist: pytest (>=3); extra == 'dev'
+Requires-Dist: coverage; extra == 'dev'
+Requires-Dist: tox; extra == 'dev'
+Requires-Dist: sphinx; extra == 'dev'
+Requires-Dist: pallets-sphinx-themes; extra == 'dev'
+Requires-Dist: sphinxcontrib-log-cabinet; extra == 'dev'
+Provides-Extra: docs
+Requires-Dist: sphinx; extra == 'docs'
+Requires-Dist: pallets-sphinx-themes; extra == 'docs'
+Requires-Dist: sphinxcontrib-log-cabinet; extra == 'docs'
+Provides-Extra: dotenv
+Requires-Dist: python-dotenv; extra == 'dotenv'
+
+Flask
+=====
+
+Flask is a lightweight `WSGI`_ web application framework. It is designed
+to make getting started quick and easy, with the ability to scale up to
+complex applications. It began as a simple wrapper around `Werkzeug`_
+and `Jinja`_ and has become one of the most popular Python web
+application frameworks.
+
+Flask offers suggestions, but doesn't enforce any dependencies or
+project layout. It is up to the developer to choose the tools and
+libraries they want to use. There are many extensions provided by the
+community that make adding new functionality easy.
+
+
+Installing
+----------
+
+Install and update using `pip`_:
+
+.. code-block:: text
+
+    pip install -U Flask
+
+
+A Simple Example
+----------------
+
+.. code-block:: python
+
+    from flask import Flask
+
+    app = Flask(__name__)
+
+    @app.route('/')
+    def hello():
+        return 'Hello, World!'
+
+.. code-block:: text
+
+    $ FLASK_APP=hello.py flask run
+     * Serving Flask app "hello"
+     * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
+
+
+Donate
+------
+
+The Pallets organization develops and supports Flask and the libraries
+it uses. In order to grow the community of contributors and users, and
+allow the maintainers to devote more time to the projects, `please
+donate today`_.
+
+.. _please donate today: https://psfmember.org/civicrm/contribute/transact?reset=1&id=20
+
+
+Links
+-----
+
+* Website: https://www.palletsprojects.com/p/flask/
+* Documentation: http://flask.pocoo.org/docs/
+* License: `BSD <https://github.com/pallets/flask/blob/master/LICENSE>`_
+* Releases: https://pypi.org/project/Flask/
+* Code: https://github.com/pallets/flask
+* Issue tracker: https://github.com/pallets/flask/issues
+* Test status:
+
+  * Linux, Mac: https://travis-ci.org/pallets/flask
+  * Windows: https://ci.appveyor.com/project/pallets/flask
+
+* Test coverage: https://codecov.io/gh/pallets/flask
+
+.. _WSGI: https://wsgi.readthedocs.io
+.. _Werkzeug: https://www.palletsprojects.com/p/werkzeug/
+.. _Jinja: https://www.palletsprojects.com/p/jinja/
+.. _pip: https://pip.pypa.io/en/stable/quickstart/
+
+

xss_example/Lib/site-packages/Flask-1.0.2.dist-info/RECORD

@@ -0,0 +1,48 @@
+../../Scripts/flask.exe,sha256=A4tHXsCTYCbsTINJeCncsK8pk8tCBMkAjals0XXZq0k,97146
+Flask-1.0.2.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4
+Flask-1.0.2.dist-info/LICENSE.txt,sha256=ziEXA3AIuaiUn1qe4cd1XxCESWTYrk4TjN7Qb06J3l8,1575
+Flask-1.0.2.dist-info/METADATA,sha256=iA5tiNWzTtgCVe80aTZGNWsckj853fJyfvHs9U-WZRk,4182
+Flask-1.0.2.dist-info/RECORD,,
+Flask-1.0.2.dist-info/WHEEL,sha256=J3CsTk7Mf2JNUyhImI-mjX-fmI4oDjyiXgWT4qgZiCE,110
+Flask-1.0.2.dist-info/entry_points.txt,sha256=gBLA1aKg0OYR8AhbAfg8lnburHtKcgJLDU52BBctN0k,42
+Flask-1.0.2.dist-info/top_level.txt,sha256=dvi65F6AeGWVU0TBpYiC04yM60-FX1gJFkK31IKQr5c,6
+flask/__init__.py,sha256=qq8lK6QQbxJALf1igz7qsvUwOTAoKvFGfdLm7jPNsso,1673
+flask/__main__.py,sha256=pgIXrHhxM5MAMvgzAqWpw_t6AXZ1zG38us4JRgJKtxk,291
+flask/__pycache__/__init__.cpython-38.pyc,,
+flask/__pycache__/__main__.cpython-38.pyc,,
+flask/__pycache__/_compat.cpython-38.pyc,,
+flask/__pycache__/app.cpython-38.pyc,,
+flask/__pycache__/blueprints.cpython-38.pyc,,
+flask/__pycache__/cli.cpython-38.pyc,,
+flask/__pycache__/config.cpython-38.pyc,,
+flask/__pycache__/ctx.cpython-38.pyc,,
+flask/__pycache__/debughelpers.cpython-38.pyc,,
+flask/__pycache__/globals.cpython-38.pyc,,
+flask/__pycache__/helpers.cpython-38.pyc,,
+flask/__pycache__/logging.cpython-38.pyc,,
+flask/__pycache__/sessions.cpython-38.pyc,,
+flask/__pycache__/signals.cpython-38.pyc,,
+flask/__pycache__/templating.cpython-38.pyc,,
+flask/__pycache__/testing.cpython-38.pyc,,
+flask/__pycache__/views.cpython-38.pyc,,
+flask/__pycache__/wrappers.cpython-38.pyc,,
+flask/_compat.py,sha256=UDFGhosh6mOdNB-4evKPuneHum1OpcAlwTNJCRm0irQ,2892
+flask/app.py,sha256=ahpe3T8w98rQd_Er5d7uDxK57S1nnqGQx3V3hirBovU,94147
+flask/blueprints.py,sha256=Cyhl_x99tgwqEZPtNDJUFneAfVJxWfEU4bQA7zWS6VU,18331
+flask/cli.py,sha256=30QYAO10Do9LbZYCLgfI_xhKjASdLopL8wKKVUGS2oA,29442
+flask/config.py,sha256=kznUhj4DLYxsTF_4kfDG8GEHto1oZG_kqblyrLFtpqQ,9951
+flask/ctx.py,sha256=leFzS9fzmo0uaLCdxpHc5_iiJZ1H0X_Ig4yPCOvT--g,16224
+flask/debughelpers.py,sha256=1ceC-UyqZTd4KsJkf0OObHPsVt5R3T6vnmYhiWBjV-w,6479
+flask/globals.py,sha256=pGg72QW_-4xUfsI33I5L_y76c21AeqfSqXDcbd8wvXU,1649
+flask/helpers.py,sha256=YCl8D1plTO1evEYP4KIgaY3H8Izww5j4EdgRJ89oHTw,40106
+flask/json/__init__.py,sha256=Ns1Hj805XIxuBMh2z0dYnMVfb_KUgLzDmP3WoUYaPhw,10729
+flask/json/__pycache__/__init__.cpython-38.pyc,,
+flask/json/__pycache__/tag.cpython-38.pyc,,
+flask/json/tag.py,sha256=9ehzrmt5k7hxf7ZEK0NOs3swvQyU9fWNe-pnYe69N60,8223
+flask/logging.py,sha256=qV9h0vt7NIRkKM9OHDWndzO61E5CeBMlqPJyTt-W2Wc,2231
+flask/sessions.py,sha256=2XHV4ASREhSEZ8bsPQW6pNVNuFtbR-04BzfKg0AfvHo,14452
+flask/signals.py,sha256=BGQbVyCYXnzKK2DVCzppKFyWN1qmrtW1QMAYUs-1Nr8,2211
+flask/templating.py,sha256=FDfWMbpgpC3qObW8GGXRAVrkHFF8K4CHOJymB1wvULI,4914
+flask/testing.py,sha256=XD3gWNvLUV8dqVHwKd9tZzsj81fSHtjOphQ1wTNtlMs,9379
+flask/views.py,sha256=Wy-_WkUVtCfE2zCXYeJehNgHuEtviE4v3HYfJ--MpbY,5733
+flask/wrappers.py,sha256=1Z9hF5-hXQajn_58XITQFRY8efv3Vy3uZ0avBfZu6XI,7511

xss_example/Lib/site-packages/Flask-1.0.2.dist-info/WHEEL

@@ -0,0 +1,6 @@
+Wheel-Version: 1.0
+Generator: bdist_wheel (0.31.0)
+Root-Is-Purelib: true
+Tag: py2-none-any
+Tag: py3-none-any
+

xss_example/Lib/site-packages/Flask-1.0.2.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+flask = flask.cli:main
+

xss_example/Lib/site-packages/Flask-1.0.2.dist-info/top_level.txt

@@ -0,0 +1 @@
+flask

xss_example/Lib/site-packages/Jinja2-2.10.dist-info/DESCRIPTION.rst

@@ -0,0 +1,37 @@
+
+Jinja2
+~~~~~~
+
+Jinja2 is a template engine written in pure Python.  It provides a
+`Django`_ inspired non-XML syntax but supports inline expressions and
+an optional `sandboxed`_ environment.
+
+Nutshell
+--------
+
+Here a small example of a Jinja template::
+
+    {% extends 'base.html' %}
+    {% block title %}Memberlist{% endblock %}
+    {% block content %}
+      <ul>
+      {% for user in users %}
+        <li><a href="{{ user.url }}">{{ user.username }}</a></li>
+      {% endfor %}
+      </ul>
+    {% endblock %}
+
+Philosophy
+----------
+
+Application logic is for the controller but don't try to make the life
+for the template designer too hard by giving him too few functionality.
+
+For more informations visit the new `Jinja2 webpage`_ and `documentation`_.
+
+.. _sandboxed: https://en.wikipedia.org/wiki/Sandbox_(computer_security)
+.. _Django: https://www.djangoproject.com/
+.. _Jinja2 webpage: http://jinja.pocoo.org/
+.. _documentation: http://jinja.pocoo.org/2/documentation/
+
+

xss_example/Lib/site-packages/Jinja2-2.10.dist-info/INSTALLER

@@ -0,0 +1 @@
+pip