prevent html injection in chatlogs

gameview.py

@@ -210,20 +210,6 @@ class ChatLogs(QtGui.QTextEdit):
                     self.logfile = "logs/%d-%02d-%02d %02d.%02d.%02d [OOC].log" % (currtime[0], currtime[1], currtime[2], currtime[3], currtime[4], currtime[5])
         else:
             self.logfile = None
-                        
-    # def mouseMoveEvent(self, e):
-        # super(ChatLogs, self).mouseMoveEvent(e)
-        # self.anchor = self.anchorAt(e.pos())
-        # if self.anchor:
-            # QtGui.QApplication.setOverrideCursor(QtCore.Qt.PointingHandCursor)
-        # else:
-            # QtGui.QApplication.setOverrideCursor(QtCore.Qt.ArrowCursor)
-
-    # def mouseReleaseEvent(self, e):
-        # if self.anchor:
-            # QtGui.QDesktopServices.openUrl(QtCore.QUrl(self.anchor))
-            # self.anchor = None
-            # QtGui.QApplication.setOverrideCursor(QtCore.Qt.ArrowCursor)
             
     def __del__(self):
         if self.savelog:
@@ -250,11 +236,7 @@ class ChatLogs(QtGui.QTextEdit):
                             logfile.write("[OOC] " + text_.replace("<b>", "").replace("</b>", "") +"\n")
                     else:
                         logfile.write(text_.replace("<b>", "").replace("</b>", "") +"\n")
-
+                        
-        # if "http" in text:
-            # text = unicode(text) # Get rid of QStrings
-            # text = re.sub(URL_REGEX, r'<a href="\g<0>">\g<0></a>', text)
-            
         super(ChatLogs, self).append(text)
 
 class AOCharMovie(QtGui.QLabel):
@@ -3054,7 +3036,7 @@ class GUI(QtGui.QWidget):
                 logcharName += " (???)"
         
         if evidence == -1:
-            self.ICLog.append(timestamp + '%s: %s' % (logcharName, chatmsg))
+            self.ICLog.append(timestamp + '%s: %s' % (logcharName, chatmsg.replace("<", "&lt;")))
         else:
             eviname = '(NULL) %d' % evidence
             try:
@@ -3496,7 +3478,7 @@ class GUI(QtGui.QWidget):
                 callwords = [line.rstrip() for line in f]
                 for callword in callwords:
                     if callword.decode('utf-8').lower() in self.mChatMessage[CHATMSG].lower().split(" "):
-                        self.OOCLog.append("<b>%s called you.</b>" % fChar)
+                        self.OOCLog.append("<b>%s called you:</b> %s" % (fChar, self.mChatMessage[CHATMSG]))
                         QtGui.QApplication.alert(self, 1000)
                         snd = audio.loadHandle(False, "word_call.wav", 0, 0, BASS_STREAM_AUTOFREE)
                         if snd:
@@ -3608,11 +3590,11 @@ class GUI(QtGui.QWidget):
             fCharacter2 = fMessage[self.tickPos]
             fCharacter = QtCore.QString(fCharacter2)
 
-            if fCharacter == " ":
+            if fCharacter in [" ", "\n", "<", ">"]:
-                self.text.insertPlainText(" ")
+                self.text.insertPlainText(fCharacter)
-                self.ao2text.insertPlainText(" ")
+                self.ao2text.insertPlainText(fCharacter)
             
-            elif fCharacter == "\n" or fCharacter == "\r":
+            elif fCharacter == "\r":
                 self.text.insertPlainText("\n")
                 self.ao2text.insertPlainText("\n")
             

packets.py

@@ -47,7 +47,7 @@ def handlePackets(caller, total, record=True):
         elif header == 'CT':
             name = decodeAOString(network[1].decode('utf-8'))
             chatmsg = decodeAOString(network[2].decode('utf-8').replace("\n", "<br />"))
-            caller.OOC_Log.emit("<b>%s:</b> %s" % (name, chatmsg))
+            caller.OOC_Log.emit("<b>%s:</b> %s" % (name, chatmsg.replace("<", "&lt;")))
         
         elif header == 'PV':
             caller.parent.myChar = int(network[3])