mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
17 lines
511 B
Python
17 lines
511 B
Python
# Safe: user-supplied substring routed through the project-local
|
|
# `escape_xpath` helper before being concatenated into the XPath expression.
|
|
# The sanitizer clears the XPATH_INJECTION cap so the sink does not fire.
|
|
from lxml import etree
|
|
from flask import request
|
|
|
|
|
|
def escape_xpath(raw):
|
|
return raw.replace("'", "'")
|
|
|
|
|
|
def lookup():
|
|
tree = etree.parse("users.xml")
|
|
user = request.form["user"]
|
|
safe = escape_xpath(user)
|
|
expr = "//user[name='" + safe + "']"
|
|
return tree.xpath(expr)
|