From 1e32e2b5dd415a13e71b8dafd40567bcc3da68a0 Mon Sep 17 00:00:00 2001
From: W13R <9070224-W13R@users.noreply.gitlab.com>
Date: Thu, 3 Nov 2022 20:45:52 +0100
Subject: [PATCH] The application now correctly encodes the url query string
 for the profile-picture name (for security reasons), removed a left-over
 print-statement

---
 application/app/templates/registration/login.html | 2 +-
 application/app/templates/userPanel.html          | 2 +-
 application/app/views.py                          | 1 -
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/application/app/templates/registration/login.html b/application/app/templates/registration/login.html
index 765172e..184022f 100644
--- a/application/app/templates/registration/login.html
+++ b/application/app/templates/registration/login.html
@@ -69,7 +69,7 @@
         <ul class="userlist">
             {% for user_ in user_list %}
                 <li class="userlistButton button" data-username="{{ user_.username }}">
-                    <img src="{{ '/profilepictures?name='|add:user_.profile_picture_filename }}">
+                    <img src="/profilepictures?name={{ user_.profile_picture_filename|urlencode }}">
                     <div>
                         {% if user_.first_name %}
 
diff --git a/application/app/templates/userPanel.html b/application/app/templates/userPanel.html
index 32afe40..7e95ff6 100644
--- a/application/app/templates/userPanel.html
+++ b/application/app/templates/userPanel.html
@@ -3,7 +3,7 @@
 
 <div class="userPanel">
     <div class="userInfo">
-        <img src="{{ '/profilepictures?name='|add:user.profile_picture_filename }}">
+        <img src="/profilepictures?name={{ user.profile_picture_filename|urlencode }}">
         <span>
             {% if user.first_name != "" %}
                 {% translate "User" %}: {{ user.first_name }} {{ user.last_name }} ({{ user.username }})
diff --git a/application/app/views.py b/application/app/views.py
index d3fafb5..f380851 100644
--- a/application/app/views.py
+++ b/application/app/views.py
@@ -124,7 +124,6 @@ def redirect_home(request):
 def profile_pictures(request):
     if not "name" in request.GET:
         return HttpResponse(b"", status=400)
-    print(request.GET["name"])
     ppic_filepath = Path(profile_pictures_path / request.GET["name"]).resolve()
     try:
         ppic_filepath.relative_to(profile_pictures_path)