Merge branch 'develop'

2015-09-24 18:59:17 +05:30 · 2015-09-24 18:59:17 +05:30 · 4fc4f3a253
commit 4fc4f3a253
parent 915f9e74aa a2751864ba
5 changed files with 15 additions and 10 deletions
--- a/frappe/init.py
+++ b/frappe/init.py
@ -353,7 +353,8 @@ def sendmail(recipients=(), sender="", subject="No Subject", message="No Message
 logger = None
 whitelisted = []
 guest_methods = []
-def whitelist(allow_guest=False):
+xss_safe_methods = []
+def whitelist(allow_guest=False, xss_safe=False):
 	"""
 	Decorator for whitelisting a function and making it accessible via HTTP.
 	Standard request will be `/api/method/[path.to.method]`
@ -373,6 +374,9 @@ def whitelist(allow_guest=False):
 		if allow_guest:
 			guest_methods.append(fn)

+			if xss_safe:
+				xss_safe_methods.append(fn)
+
 		return fn

 	return innerfn
--- a/frappe/version.py
+++ b/frappe/version.py
@ -1,2 +1,2 @@
 from __future__ import unicode_literals
-__version__ = "6.4.1"
+__version__ = "6.4.2"
--- a/frappe/handler.py
+++ b/frappe/handler.py
@ -93,12 +93,13 @@ def execute_cmd(cmd, from_async=False):
 			frappe.msgprint(_("Not permitted"))
 			raise frappe.PermissionError('Not Allowed, {0}'.format(method))

-		# strictly sanitize form_dict
-		# escapes html characters like <> except for predefined tags like a, b, ul etc.
-		# if required, we can add more whitelisted tags like div, p, etc. (see its documentation)
-		for key, value in frappe.form_dict.items():
-			if isinstance(value, basestring):
-				frappe.form_dict[key] = bleach.clean(value)
+		if method not in frappe.xss_safe_methods:
+			# strictly sanitize form_dict
+			# escapes html characters like <> except for predefined tags like a, b, ul etc.
+			# if required, we can add more whitelisted tags like div, p, etc. (see its documentation)
+			for key, value in frappe.form_dict.items():
+				if isinstance(value, basestring):
+					frappe.form_dict[key] = bleach.clean(value)

 	else:
 		if not method in frappe.whitelisted:
--- a/frappe/hooks.py
+++ b/frappe/hooks.py
@ -26,7 +26,7 @@ to ERPNext.
 """

 app_icon = "octicon octicon-circuit-board"
-app_version = "6.4.1"
+app_version = "6.4.2"
 app_color = "orange"
 github_link = "https://github.com/frappe/frappe"

--- a/setup.py
+++ b/setup.py
@ -1,6 +1,6 @@
 from setuptools import setup, find_packages

-version = "6.4.1"
+version = "6.4.2"

 with open("requirements.txt", "r") as f:
 	install_requires = f.readlines()