From 3c40b4f33b1f63f6ac17c89bc0bf6edf8c7dd373 Mon Sep 17 00:00:00 2001
From: Sean McKellips <mckellip@adobe.com>
Date: Sun, 25 Apr 2021 21:55:39 -0700
Subject: [PATCH 1/3] Upgrade Marksafe to avoid setuptools bug

---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index b4ca511..7ff63ed 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,6 +2,6 @@ click==6.7
 Flask==1.0.2
 itsdangerous==0.24
 Jinja2==2.10
-MarkupSafe==1.0
+MarkupSafe==1.1.1
 peewee==3.3.4
 Werkzeug==0.14.1

From 5d88dc1212653285b1fd40c54469d0c1d218e653 Mon Sep 17 00:00:00 2001
From: Sean McKellips <mckellip@adobe.com>
Date: Sun, 25 Apr 2021 21:56:08 -0700
Subject: [PATCH 2/3] htmlencode gt and lt

---
 main.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.py b/main.py
index fd03988..4d3b187 100644
--- a/main.py
+++ b/main.py
@@ -31,7 +31,7 @@ def home():
 <div class="message">
 {}
 </div>
-""".format(m.content)
+""".format(m.content.replace('<', '&lt;').replace('>', '&gt;'))
 
     return body 
 

From 9588a0d35437e19afe7421fd8eb6461933174d0d Mon Sep 17 00:00:00 2001
From: Sean McKellips <mckellip@adobe.com>
Date: Sun, 25 Apr 2021 22:47:25 -0700
Subject: [PATCH 3/3] Add csrf_token

---
 main.py | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/main.py b/main.py
index 4d3b187..24eb825 100644
--- a/main.py
+++ b/main.py
@@ -1,17 +1,24 @@
-import os
 import base64
+import os
+import random
+
+from flask import Flask, request, session
 
-from flask import Flask, request
-from model import Message 
+from model import Message
 
 app = Flask(__name__)
+app.secret_key = b'\x9d\xb1u\x08%\xe0\xd0p\x9bEL\xf8JC\xa3\xf4J(hAh\xa4\xcdw\x12S*,u\xec\xb8\xb8'
 
 @app.route('/', methods=['GET', 'POST'])
 def home():
 
+    if 'csrf_token' not in session:
+        session['csrf_token'] = str(random.randint(10000000, 99999999))
+
     if request.method == 'POST':
-        m = Message(content=request.form['content'])
-        m.save()
+        if request.form.get('csrf_token', None) == session['csrf_token']:
+            m = Message(content=request.form['content'])
+            m.save()
 
     body = """
 <html>
@@ -19,12 +26,14 @@ def home():
 <h1>Class Message Board</h1>
 <h2>Contribute to the Knowledge of Others</h2>
 <form method="POST">
+    <input type="hidden" name="csrf_token" value="{}">
+
     <textarea name="content"></textarea>
     <input type="submit" value="Submit">
 </form>
 
 <h2>Wisdom From Your Fellow Classmates</h2>
-"""
+""".format(session['csrf_token'])
     
     for m in Message.select():
         body += """