diff options
| -rw-r--r-- | blahaj_info.json | 1 | ||||
| -rwxr-xr-x | cgi-bin/blahaj_list.cgi | 22 |
2 files changed, 20 insertions, 3 deletions
diff --git a/blahaj_info.json b/blahaj_info.json new file mode 100644 index 0000000..2bc30e1 --- /dev/null +++ b/blahaj_info.json @@ -0,0 +1 @@ +[{"name": "</h2><p>hi there</p><h2>", "info": "", "date": "May, 20 2024"}, {"name": "</h2><script>alert(\"hi\");</script><h1>", "info": "", "date": "May, 20 2024"}, {"name": "<h2></h2><script>alert(\"owo\");</script><h2>", "info": "", "date": "May, 20 2024"}, {"name": "hi", "info": "</p><script>alert(\"hi\");</script>", "date": "May, 20 2024"}, {"name": "sdfdsfdf", "info": "", "date": "May, 20 2024"}]
\ No newline at end of file diff --git a/cgi-bin/blahaj_list.cgi b/cgi-bin/blahaj_list.cgi index e28b626..d585034 100755 --- a/cgi-bin/blahaj_list.cgi +++ b/cgi-bin/blahaj_list.cgi @@ -3,11 +3,27 @@ import cgi import json +from bs4 import BeautifulSoup + # Worse code here. Prepare your eyes for this monster. # Its almost as bad as programming anything in php or even worse javascript. print('Content-Type: text/html') +# Mode for letting peope inject stuff. +form = cgi.FieldStorage() +unsafe_mode = form.getvalue("unsafe_mode") == "on" + +# Hehehe +def check_for_injection(value): + if bool(BeautifulSoup(value, "html.parser").find()) and not unsafe_mode: + return """ + This silly silly tried to hack this website lmao. + <a href=\"?unsafe_mode=on\">Click to see the website with the hack</a> + """ + + return value + def create_blahaj_tables(): try: tables_html = """ @@ -45,9 +61,9 @@ def create_blahaj_tables(): </table> """ - current_table = current_table.replace("put_name_here", blahaj["name"]) - current_table = current_table.replace("put_info_here", blahaj["info"]) - current_table = current_table.replace("put_date_here", blahaj["date"]) + current_table = current_table.replace("put_name_here", check_for_injection(blahaj["name"])) + current_table = current_table.replace("put_info_here", check_for_injection(blahaj["info"])) + current_table = current_table.replace("put_date_here", check_for_injection(blahaj["date"])) tables_html += current_table |