remove usage of eval

2021-12-18 20:36:52 -05:00 · 2021-12-18 20:36:52 -05:00 · 031388a6f8
commit 031388a6f8
parent ae57986f19
2 changed files with 11 additions and 14 deletions
--- a/common/forms.py
+++ b/common/forms.py
@ -17,7 +17,7 @@ class KeyValueInput(forms.Widget):
        data = None
        if context['widget']['value'] is not None:
            data = json.loads(context['widget']['value'])
-        context['widget']['value'] = [ {p[0]: p[1]} for p in data.items()] if data else []
+        context['widget']['value'] = [{p[0]: p[1]} for p in data.items()] if data else []
        return context

    class Media:
@ -50,18 +50,18 @@ class JSONField(postgres.JSONField):
    def to_python(self, value):
        if not value:
            return None
-        json = {}
+        j = {}
        if isinstance(value, dict):
-            json = value
+            j = value
        else:
-            pairs = eval(value)
+            pairs = json.loads('[' + value + ']')
            if isinstance(pairs, dict):
-                json = pairs
+                j = pairs
            else:
                # list or tuple
                for pair in pairs:
-                    json = {**json, **pair}
-        return super().to_python(json)
+                    j = {**j, **pair}
+        return super().to_python(j)


 class RadioBooleanField(forms.ChoiceField):
@ -167,9 +167,7 @@ class HstoreField(forms.CharField):
        # already in python types
        if isinstance(value, list):
            return value
-        pairs = eval(value)
-        if len(pairs) == 1:
-            pairs = (pairs,)
+        pairs = json.loads('[' + value + ']')
        return pairs


@ -259,6 +257,7 @@ class MarkForm(forms.ModelForm):
        label=_("短评"),
    )

+
 class ReviewForm(forms.ModelForm):
    IS_PRIVATE_CHOICES = [
        (True, _("仅关注者")),
--- a/users/views.py
+++ b/users/views.py
@ -721,10 +721,8 @@ def music_list(request, id, status):
@login_required
 def set_layout(request):
    if request.method == 'POST':
-        # json to python
-        raw_layout_data = request.POST.get('layout').replace('false', 'False').replace('true', 'True')
-        layout = eval(raw_layout_data)
-        request.user.preference.home_layout = eval(raw_layout_data)
+        layout = json.loads(request.POST.get('layout'))
+        request.user.preference.home_layout = layout
        request.user.preference.save()
        return redirect(reverse("common:home"))
    else: