# SPDX-FileCopyrightText: Copyright (c) 2023 Michał Pokusa # # SPDX-License-Identifier: MIT """ `adafruit_httpserver.interfaces` ==================================================== * Author(s): Michał Pokusa """ try: from typing import List, Dict, Union, Any except ImportError: pass class _IFieldStorage: """Interface with shared methods for QueryParams, FormData and Headers.""" _storage: Dict[str, List[Any]] def _add_field_value(self, field_name: str, value: Any) -> None: if field_name not in self._storage: self._storage[field_name] = [value] else: self._storage[field_name].append(value) def get(self, field_name: str, default: Any = None) -> Union[Any, None]: """Get the value of a field.""" return self._storage.get(field_name, [default])[0] def get_list(self, field_name: str) -> List[Any]: """Get the list of values of a field.""" return self._storage.get(field_name, []) @property def fields(self): """Returns a list of field names.""" return list(self._storage.keys()) def items(self): """Returns a list of (name, value) tuples.""" return [(key, value) for key in self.fields for value in self.get_list(key)] def keys(self): """Returns a list of header names.""" return self.fields def values(self): """Returns a list of header values.""" return [value for key in self.keys() for value in self.get_list(key)] def __getitem__(self, field_name: str): return self._storage[field_name][0] def __iter__(self): return iter(self._storage) def __len__(self) -> int: return len(self._storage) def __contains__(self, key: str) -> bool: return key in self._storage def __repr__(self) -> str: return f"{self.__class__.__name__}({repr(self._storage)})" def _encode_html_entities(value: str) -> str: """Encodes unsafe HTML characters that could enable XSS attacks.""" return ( str(value) .replace("&", "&") .replace("<", "<") .replace(">", ">") .replace('"', """) .replace("'", "'") ) class _IXSSSafeFieldStorage(_IFieldStorage): def get( self, field_name: str, default: Any = None, *, safe=True ) -> Union[Any, None]: if safe: return _encode_html_entities(super().get(field_name, default)) _debug_warning_nonencoded_output() return super().get(field_name, default) def get_list(self, field_name: str, *, safe=True) -> List[Any]: if safe: return [ _encode_html_entities(value) for value in super().get_list(field_name) ] _debug_warning_nonencoded_output() return super().get_list(field_name) def _debug_warning_nonencoded_output(): """Warns about XSS risks.""" print( "WARNING: Setting safe to False makes XSS vulnerabilities possible by " "allowing access to raw untrusted values submitted by users. If this data is reflected " "or shown within HTML without proper encoding it could enable Cross-Site Scripting." )