From 031388a6f83c2556226c6ac54cddba57ca7b9566 Mon Sep 17 00:00:00 2001
From: doubaniux <goodsir@vivaldi.net>
Date: Sat, 18 Dec 2021 20:36:52 -0500
Subject: [PATCH] remove usage of eval

---
 common/forms.py | 19 +++++++++----------
 users/views.py  |  6 ++----
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/common/forms.py b/common/forms.py
index d010b583..5372ce12 100644
--- a/common/forms.py
+++ b/common/forms.py
@@ -17,7 +17,7 @@ class KeyValueInput(forms.Widget):
         data = None
         if context['widget']['value'] is not None:
             data = json.loads(context['widget']['value'])
-        context['widget']['value'] = [ {p[0]: p[1]} for p in data.items()] if data else []
+        context['widget']['value'] = [{p[0]: p[1]} for p in data.items()] if data else []
         return context
 
     class Media:
@@ -50,18 +50,18 @@ class JSONField(postgres.JSONField):
     def to_python(self, value):
         if not value:
             return None
-        json = {}
+        j = {}
         if isinstance(value, dict):
-            json = value
+            j = value
         else:
-            pairs = eval(value)
+            pairs = json.loads('[' + value + ']')
             if isinstance(pairs, dict):
-                json = pairs
+                j = pairs
             else:
                 # list or tuple
                 for pair in pairs:
-                    json = {**json, **pair}
-        return super().to_python(json)
+                    j = {**j, **pair}
+        return super().to_python(j)
 
 
 class RadioBooleanField(forms.ChoiceField):
@@ -167,9 +167,7 @@ class HstoreField(forms.CharField):
         # already in python types
         if isinstance(value, list):
             return value
-        pairs = eval(value)
-        if len(pairs) == 1:
-            pairs = (pairs,)
+        pairs = json.loads('[' + value + ']')
         return pairs
 
 
@@ -259,6 +257,7 @@ class MarkForm(forms.ModelForm):
         label=_("短评"),
     )
 
+
 class ReviewForm(forms.ModelForm):
     IS_PRIVATE_CHOICES = [
         (True, _("仅关注者")),
diff --git a/users/views.py b/users/views.py
index 264be10d..ff77d066 100644
--- a/users/views.py
+++ b/users/views.py
@@ -721,10 +721,8 @@ def music_list(request, id, status):
 @login_required
 def set_layout(request):
     if request.method == 'POST':
-        # json to python
-        raw_layout_data = request.POST.get('layout').replace('false', 'False').replace('true', 'True')
-        layout = eval(raw_layout_data)
-        request.user.preference.home_layout = eval(raw_layout_data)
+        layout = json.loads(request.POST.get('layout'))
+        request.user.preference.home_layout = layout
         request.user.preference.save()
         return redirect(reverse("common:home"))
     else: