Commit c0b64536 authored by Jean-Paul Smets's avatar Jean-Paul Smets

Escape all strings. This will require some updates in svn related forms.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@11855 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent c865a4ce
...@@ -24,6 +24,8 @@ ...@@ -24,6 +24,8 @@
from Products.Formulator.Field import Field from Products.Formulator.Field import Field
from Products.Formulator.Widget import Widget from Products.Formulator.Widget import Widget
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo
from cgi import escape
import types
from zLOG import LOG from zLOG import LOG
def Field_generate_field_key(self, validation=0, key=None): def Field_generate_field_key(self, validation=0, key=None):
...@@ -288,7 +290,7 @@ from Products.Formulator.Widget import TextAreaWidget ...@@ -288,7 +290,7 @@ from Products.Formulator.Widget import TextAreaWidget
from Products.Formulator.Widget import render_element from Products.Formulator.Widget import render_element
from DocumentTemplate.DT_Util import html_quote from DocumentTemplate.DT_Util import html_quote
def TextAreaWidget_render_view(self, field, value): def TextAreaWidget_render_view(self, field, value): # Probably useless
width = field.get_value('width') width = field.get_value('width')
height = field.get_value('height') height = field.get_value('height')
...@@ -300,7 +302,8 @@ def TextAreaWidget_render_view(self, field, value): ...@@ -300,7 +302,8 @@ def TextAreaWidget_render_view(self, field, value):
contents=html_quote(value), contents=html_quote(value),
extra='readonly') extra='readonly')
TextAreaWidget.render_view = TextAreaWidget_render_view # TextAreaWidget.render_view = TextAreaWidget_render_view
# See bellow TextWidget_patched_render_view
# Patch the render_view of LinkField so that it is clickable in read-only mode. # Patch the render_view of LinkField so that it is clickable in read-only mode.
from Products.Formulator.Widget import TextWidget from Products.Formulator.Widget import TextWidget
...@@ -329,17 +332,30 @@ LinkField.widget = PatchedLinkWidgetInstance ...@@ -329,17 +332,30 @@ LinkField.widget = PatchedLinkWidgetInstance
# Patch the render_view of TextField to enclose the value within <span> html tags if css class defined # Patch the render_view of TextField to enclose the value within <span> html tags if css class defined
def TextWidget_patched_render_view(self, field, value): def TextWidget_patched_render_view(self, field, value):
"""Render text as non-editable. """Render text as non-editable.
This renderer is designed to be type error resistant.
in we get a non string value. It does escape the result
and produces clean xhtml.
""" """
if value is None: if value is None:
return '' return ''
if isinstance(value, types.ListType) or isinstance(value, types.TupleType):
old_value = value
else:
old_value = [str(value)]
value = []
for line in old_value:
value.append(escape(line))
value = '<br/>'.join(value)
css_class = field.get_value('css_class') css_class = field.get_value('css_class')
if css_class not in ('', None): if css_class not in ('', None):
# All strings should be escaped before rendering in HTML
# except for editor field
return "<span class='%s'>%s</span>" % (css_class, value) return "<span class='%s'>%s</span>" % (css_class, value)
return value return value
from Products.Formulator.Widget import TextWidget from Products.Formulator.Widget import TextWidget
TextWidget.render_view = TextWidget_patched_render_view TextWidget.render_view = TextWidget_patched_render_view
TextAreaWidget.render_view = TextWidget_patched_render_view # Use a standard span rendering
class IntegerWidget(TextWidget) : class IntegerWidget(TextWidget) :
def render(self, field, key, value, REQUEST) : def render(self, field, key, value, REQUEST) :
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment