Escape values for generated form used in request.post (#1236)

and build docker images for PRs

.github/workflows/release-docker.yml

@@ -4,50 +4,63 @@ on:
   push:
     tags:
       - 'v*.*.*'
+  pull_request:
+    branches:
+      - master
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   build-docker-images:
     runs-on: ubuntu-22.04
     steps:
-      -
+      - name: Checkout
-        name: Checkout
+        uses: actions/checkout@v4
-        uses: actions/checkout@v3
+
-      -
+      - name: Downcase repo
-        name: Downcase repo
         run: echo REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
-      -
+
-        name: Docker meta
+      - name: Docker meta
         id: docker_meta
-        uses: crazy-max/ghaction-docker-meta@v3
+        uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REPOSITORY }},ghcr.io/${{ env.REPOSITORY }}
+          images: |
-          tag-sha: false
+            ${{ env.REPOSITORY }},enable=${{ github.event_name != 'pull_request' }}
-      -
+            ghcr.io/${{ env.REPOSITORY }}
-        name: Set up QEMU
+          tags: |
-        uses: docker/setup-qemu-action@v2
+            type=semver,pattern={{version}},prefix=v
-      -
+            type=ref,event=pr
-        name: Set up Docker Buildx
+          flavor: |
-        uses: docker/setup-buildx-action@v2
+            latest=auto
-      -
+
-        name: Login to DockerHub
+      - name: Set up QEMU
-        uses: docker/login-action@v2
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
+
-        name: Login to GitHub Container Registry
+      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GH_PAT }}
-      -
+
-        name: Build and push
+      - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Dockerfile
           platforms: linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}

src/flaresolverr_service.py

@@ -3,7 +3,8 @@ import platform
 import sys
 import time
 from datetime import timedelta
-from urllib.parse import unquote
+from html import escape
+from urllib.parse import unquote, quote
 
 from func_timeout import FunctionTimedOut, func_timeout
 from selenium.common import TimeoutException
@@ -439,7 +440,7 @@ def _post_request(req: V1RequestBase, driver: WebDriver):
             value = unquote(parts[1])
         except Exception:
             value = parts[1]
-        post_form += f'<input type="text" name="{name}" value="{value}"><br>'
+        post_form += f'<input type="text" name="{escape(quote(name))}" value="{escape(quote(value))}"><br>'
     post_form += '</form>'
     html_content = f"""
         <!DOCTYPE html>
@@ -449,6 +450,6 @@ def _post_request(req: V1RequestBase, driver: WebDriver):
             <script>document.getElementById('hackForm').submit();</script>
         </body>
         </html>"""
-    driver.get("data:text/html;charset=utf-8," + html_content)
+    driver.get("data:text/html;charset=utf-8,{html_content}".format(html_content=html_content))
     driver.start_session()
     driver.start_session()  # required to bypass Cloudflare