From 2b8abc0adc2a7905c7145b954943b48364bbb7e1 Mon Sep 17 00:00:00 2001
From: stellie <kims82@gmail.com>
Date: Tue, 22 Dec 2020 16:37:24 -0800
Subject: [PATCH] prevent cross site scripting by replacing angle bracket
 characters

---
 main.py  | 17 ++++++++++-------
 model.py |  1 +
 setup.py |  2 +-
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/main.py b/main.py
index fd03988..a32c0b3 100644
--- a/main.py
+++ b/main.py
@@ -1,11 +1,15 @@
+# Stella Kim
+# Activity 8: Django Addons & Security
+
 import os
 import base64
 
 from flask import Flask, request
-from model import Message 
+from model import Message
 
 app = Flask(__name__)
 
+
 @app.route('/', methods=['GET', 'POST'])
 def home():
 
@@ -25,18 +29,17 @@ def home():
 
 <h2>Wisdom From Your Fellow Classmates</h2>
 """
-    
+
     for m in Message.select():
         body += """
 <div class="message">
 {}
 </div>
-""".format(m.content)
+""".format(m.content.replace('<', '&lt;').replace('>', '&gt;'))
 
-    return body 
+    return body
 
 
-if __name__ == "__main__":
-    port = int(os.environ.get("PORT", 6738))
+if __name__ == '__main__':
+    port = int(os.environ.get('PORT', 6738))
     app.run(host='0.0.0.0', port=port)
-
diff --git a/model.py b/model.py
index cff0f2b..bdc0800 100644
--- a/model.py
+++ b/model.py
@@ -5,6 +5,7 @@
 
 db = connect(os.environ.get('DATABASE_URL', 'sqlite:///my_database.db'))
 
+
 class Message(Model):
     content = CharField(max_length=1024, unique=True)
 
diff --git a/setup.py b/setup.py
index c8856af..ab0a618 100644
--- a/setup.py
+++ b/setup.py
@@ -1,4 +1,4 @@
-from model import db, Message 
+from model import db, Message
 
 db.connect()
 db.create_tables([Message])