bleached all the inputs

apps/charts/views.py

@@ -1,3 +1,4 @@
+import bleach
 from django.db.models import Count, Q
 from django.http import JsonResponse
 
@@ -6,7 +7,7 @@ def channel_videos_distribution(request, playlist_id):
     labels = []
     data = []
 
-    playlist_items = request.user.playlists.get(playlist_id=playlist_id).playlist_items.all()
+    playlist_items = request.user.playlists.get(playlist_id=bleach.clean(playlist_id)).playlist_items.all()
 
     queryset = playlist_items.filter(Q(video__is_unavailable_on_yt=False) & Q(video__was_deleted_on_yt=False)).values(
         'video__channel_name').annotate(channel_videos_count=Count('video_position'))

apps/main/views.py

@@ -116,7 +116,6 @@ def view_video(request, video_id):
 @login_required
 @require_POST
 def video_notes(request, video_id):
-    print(request.POST)
     if request.user.videos.filter(video_id=video_id).exists():
         video = request.user.videos.get(video_id=video_id)
 
@@ -235,7 +234,7 @@ def library(request, library_type):
         return render(request, "unavailable_videos.html", {"videos": videos})
     elif library_type.lower() == "random":  # randomize playlist
         if request.method == "POST":
-            playlists_type = request.POST["playlistsType"]
+            playlists_type = bleach.clean(request.POST["playlistsType"])
             if playlists_type == "All":
                 playlists = request.user.playlists.all().filter(is_in_db=True)
             elif playlists_type == "Favorites":
@@ -318,7 +317,7 @@ def order_playlist_by(request, playlist_id, order_by):
         videos_details = "Sorted by Unavailable Videos"
         display_text = "None of the videos in this playlist have gone unavailable... yet."
     elif order_by == 'channel':
-        channel_name = request.GET["channel-name"]
+        channel_name = bleach.clean(request.GET["channel-name"])
         playlist_items = playlist.playlist_items.select_related('video').filter(
             video__channel_name=channel_name).order_by("video_position")
         videos_details = f"Sorted by Channel '{channel_name}'"
@@ -408,7 +407,6 @@ def playlist_delete_videos(request, playlist_id, command):
     all = False
     num_vids = 0
     playlist_item_ids = []
-    print(request.POST)
     if "all" in request.POST:
         if request.POST["all"] == "yes":
             all = True
@@ -417,7 +415,7 @@ def playlist_delete_videos(request, playlist_id, command):
                 playlist_item_ids = [playlist_item.playlist_item_id for playlist_item in
                                      request.user.playlists.get(playlist_id=playlist_id).playlist_items.all()]
     else:
-        playlist_item_ids = request.POST.getlist("video-id", default=[])
+        playlist_item_ids = [bleach.clean(item_id) for item_id in request.POST.getlist("video-id", default=[])]
         num_vids = len(playlist_item_ids)
 
     extra_text = " "
@@ -605,7 +603,7 @@ def load_more_videos(request, playlist_id, order_by, page):
         playlist_items = playlist.playlist_items.select_related('video').filter(
             Q(video__is_unavailable_on_yt=True) & Q(video__was_deleted_on_yt=True))
     elif order_by == 'channel':
-        channel_name = request.GET["channel-name"]
+        channel_name = bleach.clean(request.GET["channel-name"])
         playlist_items = playlist.playlist_items.select_related('video').filter(
             video__channel_name=channel_name).order_by("video_position")
 
@@ -627,7 +625,6 @@ def update_playlist_settings(request, playlist_id):
     message_type = "success"
     message_content = "Saved!"
 
-    print(request.POST)
     playlist = request.user.playlists.get(playlist_id=playlist_id)
 
     if 'user_label' in request.POST:
@@ -855,7 +852,7 @@ def get_watch_message(request, playlist_id):
 @login_required
 @require_POST
 def create_playlist_tag(request, playlist_id):
-    tag_name = request.POST["createTagField"]
+    tag_name = bleach.clean(request.POST["createTagField"])
 
     if tag_name.lower() == 'Pick from existing unused tags'.lower():
         return HttpResponse("Can't use that! Try again >_<")
@@ -888,7 +885,7 @@ def create_playlist_tag(request, playlist_id):
 @login_required
 @require_POST
 def add_playlist_tag(request, playlist_id):
-    tag_name = request.POST["playlistTag"]
+    tag_name = bleach.clean(request.POST["playlistTag"])
 
     if tag_name == 'Pick from existing unused tags':
         return HttpResponse("Pick something! >w<")
@@ -982,8 +979,8 @@ def reset_watched(request, playlist_id):
 @login_required
 @require_POST
 def playlist_move_copy_videos(request, playlist_id, action):
-    playlist_ids = request.POST.getlist("playlist-ids", default=[])
-    playlist_item_ids = request.POST.getlist("video-id", default=[])
+    playlist_ids = [bleach.clean(pl_id) for pl_id in request.POST.getlist("playlist-ids", default=[])]
+    playlist_item_ids = [bleach.clean(item_id) for item_id in request.POST.getlist("video-id", default=[])]
 
     # basic processing
     if not playlist_ids and not playlist_item_ids:

apps/manage_playlists/views.py

@@ -1,3 +1,4 @@
+import bleach
 from django.contrib.auth.decorators import login_required
 from django.http import HttpResponse
 from django.shortcuts import render
@@ -26,7 +27,7 @@ def manage_view_page(request, page):
 @require_POST
 def manage_save(request, what):
     if what == "manage_playlists_import_textarea":
-        request.user.profile.manage_playlists_import_textarea = request.POST["import-playlist-textarea"]
+        request.user.profile.manage_playlists_import_textarea = bleach.clean(request.POST["import-playlist-textarea"])
         request.user.save()
 
     return HttpResponse("")
@@ -35,7 +36,7 @@ def manage_save(request, what):
 @login_required
 @require_POST
 def manage_import_playlists(request):
-    playlist_links = request.POST["import-playlist-textarea"].replace(",", "").split("\n")
+    playlist_links = [bleach.clean(link) for link in request.POST["import-playlist-textarea"].replace(",", "").split("\n")]
 
     num_playlists_already_in_db = 0
     num_playlists_initialized_in_db = 0

apps/search/views.py

@@ -14,27 +14,27 @@ def search(request):
     if request.method == "GET":
         print(request.GET)
         if 'mode' in request.GET:
-            mode = request.GET['mode']
+            mode = bleach.clean(request.GET['mode'])
         else:
             mode = "playlists"
 
         if 'type' in request.GET:
-            item_type = request.GET["type"]
+            item_type = bleach.clean(request.GET["type"])
         else:
             item_type = "all"
 
         if 'query' in request.GET:
-            query = request.GET["query"]
+            query = bleach.clean(request.GET["query"])
         else:
             query = ''
 
         if 'tag' in request.GET:
-            pl_tag = request.GET["tag"]
+            pl_tag = bleach.clean(request.GET["tag"])
         else:
             pl_tag = ""
 
         if 'channel' in request.GET:
-            vid_channel_name = request.GET["channel"]
+            vid_channel_name = bleach.clean(request.GET["channel"])
         else:
             vid_channel_name = ""
 
@@ -52,10 +52,7 @@ def search(request):
 @login_required
 @require_POST
 def search_UnTube(request):
-    print(request.POST)
-
     search_query = bleach.clean(request.POST["search"])
-    print(search_query)
 
     if request.POST['search-settings'] == 'playlists':
         playlist_type = bleach.clean(request.POST["playlistsType"])
@@ -75,7 +72,7 @@ def search_UnTube(request):
             all_playlists = all_playlists.filter(is_yt_mix=True)
 
         if 'playlist-tags' in request.POST:
-            tags = request.POST.getlist('playlist-tags')
+            tags = [bleach.clean(t) for t in request.POST.getlist('playlist-tags')]
             for tag in tags:
                 all_playlists = all_playlists.filter(tags__name=tag)
 
@@ -118,7 +115,7 @@ def search_UnTube(request):
             all_videos = all_videos.filter(Q(is_unavailable_on_yt=False) & Q(was_deleted_on_yt=True))
 
         if 'channel-names' in request.POST:
-            channels = request.POST.getlist('channel-names')
+            channels = [bleach.clean(name) for name in request.POST.getlist('channel-names')]
             all_videos = all_videos.filter(channel_name__in=channels)
 
         videos = all_videos.filter(
@@ -147,7 +144,7 @@ def search_UnTube(request):
             videos = videos.filter(has_cc=True)
 
         if 'playlist-ids' in request.POST:
-            playlist_ids = request.POST.getlist('playlist-ids')
+            playlist_ids = [bleach.clean(pl_id) for pl_id in request.POST.getlist('playlist-ids')]
             videos = videos.filter(playlists__playlist_id__in=playlist_ids)
 
         return HttpResponse(loader.get_template("intercooler/search_untube_results.html")
@@ -162,7 +159,7 @@ def search_UnTube(request):
 def search_library(request, library_type):
     # print(request.POST)  # prints <QueryDict: {'search': ['aa']}>
 
-    search_query = request.POST["search"]
+    search_query = bleach.clean(request.POST["search"])
     watching = False
 
     playlists = None
@@ -219,7 +216,7 @@ def search_library(request, library_type):
 @login_required
 @require_POST
 def search_tagged_playlists(request, tag):
-    search_query = request.POST["search"]
+    search_query = bleach.clean(request.POST["search"])
     try:
         playlists = request.user.playlists.all().filter(Q(is_in_db=True) & Q(tags__name=tag)).filter(
             Q(name__startswith=search_query) | Q(user_label__startswith=search_query))

apps/users/views.py

@@ -1,3 +1,4 @@
+import bleach
 from django.db.models import Q
 from django.shortcuts import render, redirect
 from django.contrib.auth import logout
@@ -76,16 +77,16 @@ def settings(request):
 def update_settings(request):
     print(request.POST)
     user = request.user
-    username_input = request.POST['username'].strip()
+    username_input = bleach.clean(request.POST['username'].strip())
     message_content = "Saved!"
     # message_type = "success"
     if username_input != user.username:
         if User.objects.filter(username__exact=username_input).count() != 0:
             # message_type = "danger"
-            message_content = f"Username {request.POST['username'].strip()} already taken"
+            message_content = f"Username {username_input} already taken"
             messages.error(request, message_content)
         else:
-            user.username = request.POST['username'].strip()
+            user.username = username_input
             # user.save()
             message_content = f"Username updated to {username_input}!"
             messages.success(request, message_content)