From a057cc81062471828b86aff6b65f73e8d7e73fe6 Mon Sep 17 00:00:00 2001
From: Zhen Yang <wwxyzd@hotmail.com>
Date: Sat, 27 Jun 2020 10:59:10 -0700
Subject: [PATCH] finished xss-example activity for lesson08

---
 main.py  | 14 +++++++++-----
 setup.py |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/main.py b/main.py
index fd03988..e90be5a 100644
--- a/main.py
+++ b/main.py
@@ -1,8 +1,9 @@
 import os
 import base64
+import html
 
 from flask import Flask, request
-from model import Message 
+from model import Message
 
 app = Flask(__name__)
 
@@ -25,18 +26,21 @@ def home():
 
 <h2>Wisdom From Your Fellow Classmates</h2>
 """
-    
+
     for m in Message.select():
+        # using html.escape() method to sanitize user-submitted content.
+        input = html.escape(m.content)
         body += """
 <div class="message">
 {}
 </div>
-""".format(m.content)
+""".format(input)
+#""".format(m.content.replace('<', '&lt;').replace('>', '&gt;'))
+#""".format(m.content)
 
-    return body 
+    return body
 
 
 if __name__ == "__main__":
     port = int(os.environ.get("PORT", 6738))
     app.run(host='0.0.0.0', port=port)
-
diff --git a/setup.py b/setup.py
index c8856af..ab0a618 100644
--- a/setup.py
+++ b/setup.py
@@ -1,4 +1,4 @@
-from model import db, Message 
+from model import db, Message
 
 db.connect()
 db.create_tables([Message])