Merge remote-tracking branch 'upstream/master' into zope4py2

bt5/erp5_corporate_identity/SkinTemplateItem/portal_skins/erp5_corporate_identity_web/WebPage_substituteDocumentationList.py

-import cgi
+from Products.PythonScripts.standard import html_quote
 
-def escapeInnerHTML(string_to_escape):
-  return cgi.escape("%s" % string_to_escape, quote=False)
-
-def escapeAttributeProperty(string_to_escape):
-  return cgi.escape("%s" % string_to_escape, quote=True)
+def escape(string_to_escape):
+  return html_quote("%s" % string_to_escape)
 
 web_site_value = context.getWebSiteValue()
 
@@ -15,7 +12,7 @@ if (web_site_value is not None):
   for category_relative_url in category_relative_url_list:
     base_category, _ = category_relative_url.split('/', 1)
 
-    result[category_relative_url.replace('/', '__')] = '<ul>%s</ul>' % ''.join(['<li><a href="%s">%s</a></li>' % (escapeAttributeProperty(x.getReference()), escapeInnerHTML(x.getTitle())) for x in web_site_value.getDocumentValueList(
+    result[category_relative_url.replace('/', '__')] = '<ul>%s</ul>' % ''.join(['<li><a href="%s">%s</a></li>' % (escape(x.getReference()), escape(x.getTitle())) for x in web_site_value.getDocumentValueList(
       sort_on=[['title', 'ASC']],
       **{'%s__relative_url' % base_category: category_relative_url}
     )])

bt5/erp5_forge/SkinTemplateItem/portal_skins/erp5_toolbox/Base_checkSkinFolderForms.py

-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 portal = context.getPortalObject()
 skin_folder = portal.portal_skins[original_skin_name]
 new_skin_folder = portal.portal_skins[new_skin_name]
@@ -38,7 +38,7 @@ for original_form in skin_folder.objectValues():
           original_field.absolute_url(), new_field.absolute_url()))
 
       output_list += ("<tr><td>%s</td></tr>" % "</td><td>".join(
-            map(escape, ('[%s]' % key if T else key, str(old), str(new[key]))))
+            map(html_quote, ('[%s]' % key if T else key, str(old), str(new[key]))))
         for T, old, new in ((0, original_value_dict, new_value_dict),
                             (1, original_value_tales, new_value_tales))
         for key, old in old.iteritems()

bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateNavigationHTML.py

-import cgi
+from Products.PythonScripts.standard import html_quote
 import re
 
 web_section = context
 web_site = web_section.getWebSiteValue()
 
 def _(string_to_escape):
-  return cgi.escape("%s" % string_to_escape, quote=False)
-
-
-def __(string_to_escape):
-  return cgi.escape("%s" % string_to_escape, quote=True)
+  return html_quote("%s" % string_to_escape)
 
 
 def generateSectionListHTML(result_list, section_list):
@@ -18,7 +14,7 @@ def generateSectionListHTML(result_list, section_list):
     for section in section_list:
       # Add missing / suffix to get correct relative url generation
       # XXX Fix WebSection_getSiteMapTree instead, but no idea what would be the site effects
-      result_list.append('<li><a href="%s">%s</a>' % (__(section['url'] + '/'), _(section['translated_title'])))
+      result_list.append('<li><a href="%s">%s</a>' % (_(section['url'] + '/'), _(section['translated_title'])))
       generateSectionListHTML(result_list, section['subsection'])
       result_list.append('</li>')
     result_list.append('</ul>')
@@ -41,8 +37,8 @@ def generateDocumentListHTML(result_list, document_list):
   _(section['translated_title']),
   ('<p class="p-summary">%s</p>' % _(section['description'])) if section.get('description') else '',
   ('<p class="p-author h-card">%s</p>' % _(section['document'].Document_getContributorTitleList()[0])),
-  __(section['url']),
-  __(publication_date.HTML4()),
+  _(section['url']),
+  _(publication_date.HTML4()),
   _(publication_date.rfc822())
 ))
     result_list.append('</ul></aside>')
@@ -65,12 +61,12 @@ for language in available_language_set:
     website_url_set[language] = re.sub(website_url_pattern, r'%s/%s/\1' % (root_website_url, language), web_site.absolute_url())
 
 for language, url in website_url_set.items():
-  result_list += '<li><a href="%s" hreflang="%s"><abbr lang="%s">%s</abbr></a></li>' % (__(url), __(language), __(language), _(language))
+  result_list += '<li><a href="%s" hreflang="%s"><abbr lang="%s">%s</abbr></a></li>' % (_(url), _(language), _(language), _(language))
 result_list.append('</ul></nav>')
 
 # Sitemap
 result_list.append('<nav id="sitemap">')
-result_list.append('<a href="%s">%s</a>' % (__(web_site.absolute_url()), _(web_site.getTranslatedTitle())))
+result_list.append('<a href="%s">%s</a>' % (_(web_site.absolute_url()), _(web_site.getTranslatedTitle())))
 generateSectionListHTML(result_list, web_site.WebSection_getSiteMapTree(include_document=False, depth=99))
 result_list.append('</nav>')
 

product/ERP5/Extensions/Grep.py

 import re
-import cgi
+from Products.PythonScripts.standard import html_quote
 from Acquisition import aq_base
 from AccessControl import Unauthorized
 from Products.CMFCore.utils import _checkPermission
@@ -73,8 +73,8 @@ def grep(self, pattern, A=0, B=0, r=1, i=0, highlight=1, first_occurence=0):
   html_element_list = [doctype, html, head, '<body>' '<p>']
   result_list = []
   for url, path, line in result:
-    path = cgi.escape(path)
-    line = cgi.escape(line)
+    path = html_quote(path)
+    line = html_quote(line)
     if highlight:
       line = rx.sub('<span class="highlight">\g<0></span>', line)
     if ExternalEditor is None:

product/ERP5/bin/genbt5list

@@ -220,8 +220,8 @@ def generateInformation(dir, info=id, err=None):
       if str is not bytes:
         k = k.encode()
       for v in (v,) if type(v) is bytes else v:
-        xml.write(b'    <%s>%s</%s>\n' % (k, escape(v) if str is bytes else
-                                             escape(v.decode()).encode(), k))
+        xml.write(b'    <%s>%s</%s>\n' % (k, escape(v, quote=False) if str is bytes else
+                                             escape(v.decode(), quote=False).encode(), k))
     xml.write(b'  </template>\n')
     info('done\n')
   xml.write(b'</repository>\n')

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Resource_hashVariationCategoryItemList.py

@@ -13,8 +13,8 @@ for item in item_list:
   item_value = item[int(not is_right_display)]
   
   # Hash key from item_value
-  item_split = string.split(item_value, '/')
-  item_key = string.join(item_split[:split_depth] , '/' )
+  item_split = item_value.split('/')
+  item_key = '/'.join(item_split[:split_depth] , '/' )
 
   if item_key not in sub_field_dict:
     # Create property dict

product/ERP5/bootstrap/erp5_core/ToolComponentTemplateItem/portal_components/tool.erp5.IntrospectionTool.py

@@ -40,7 +40,7 @@ from AccessControl.SecurityManagement import setSecurityManager
 from Products.ERP5Type.Utils import _setSuperSecurityManager
 from App.config import getConfiguration
 from Products.ERP5Type.Cache import CachingMethod
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 
 import logging
 
@@ -257,14 +257,14 @@ class IntrospectionTool(LogMixin, BaseTool):
     """
     Tail the Event Log.
     """
-    return escape(self._tailFile(self.__getEventLogPath(), 500))
+    return html_quote(self._tailFile(self.__getEventLogPath(), 500))
 
   security.declareProtected(Permissions.ManagePortal, 'tailAccessLog')
   def tailAccessLog(self):
     """
     Tail the Event Log.
     """
-    return escape(self._tailFile(self.__getAccessLogPath(), 50))
+    return html_quote(self._tailFile(self.__getAccessLogPath(), 50))
 
   security.declareProtected(Permissions.ManagePortal, 'getAccessLog')
   def getAccessLog(self, compressed=1, REQUEST=None):

product/ERP5/tests/erp5_url_checker.py

@@ -89,7 +89,7 @@ class URLOpener(FancyURLopener):
             urltype, rest = splittype(selector)
             url = rest
             user_passwd = None
-            if string.lower(urltype) != 'http':
+            if urltype.lower() != 'http':
                 realhost = None
             else:
                 realhost, rest = splithost(rest)
@@ -101,7 +101,7 @@ class URLOpener(FancyURLopener):
         if not host: raise IOError('http error', 'no host given')
         if user_passwd:
             import base64
-            auth = string.strip(base64.encodestring(user_passwd))
+            auth = base64.encodestring(user_passwd).strip()
         else:
             auth = None
         h = httplib.HTTP(host)

product/ERP5Form/ListBox.py

@@ -53,9 +53,9 @@ from ZTUtils import make_query
 
 from Products.ERP5Type.Globals import InitializeClass, get_request
 from Products.PythonScripts.Utility import allow_class
+from Products.PythonScripts.standard import html_quote
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from warnings import warn
-import cgi
 import six
 
 DEFAULT_LISTBOX_DISPLAY_STYLE = 'table'
@@ -2475,7 +2475,7 @@ class ListBoxHTMLRendererLine(ListBoxRendererLine):
           # If error on current field, we should display message
           if key in error_dict:
             error_text = error_dict[key].error_text
-            error_text = cgi.escape(error_text)
+            error_text = html_quote(error_text)
             if isinstance(error_text, str):
               error_mapping = getattr(error_dict[key], 'error_mapping', None)
               if error_mapping is not None:
@@ -2521,7 +2521,7 @@ class ListBoxHTMLRendererLine(ListBoxRendererLine):
             html += u' <span class="error">%s</span>' % error_message
       else:
         # If not editable, show a static text with a link, if enabled.
-        html = cgi.escape(processed_value)
+        html = html_quote(processed_value)
         if url is not None:
           # JPS-XXX - I think we should not display a URL for objects
           # which do not have the View permission

product/ERP5Form/MultiRelationField.py

@@ -37,7 +37,7 @@ from Products.ERP5Type.Message import translateString
 from AccessControl import ClassSecurityInfo
 from Products.Formulator.DummyField import fields
 from Products.ERP5Type.Globals import get_request
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 import json
 
 # Max. number of catalog result
@@ -311,8 +311,8 @@ class MultiRelationStringFieldWidget(Widget.LinesTextAreaWidget,
         value = value,
       html_string = '<br />'.join(
         '<a class="relationfieldlink" href="%s">%s</a>' % (
-          escape(jump_reference.absolute_url()),
-          escape(display_value),
+          html_quote(jump_reference.absolute_url()),
+          html_quote(display_value),
         )
         for jump_reference, display_value in zip(
           getattr(
@@ -345,7 +345,7 @@ class MultiRelationStringFieldWidget(Widget.LinesTextAreaWidget,
     css_class = field.get_value('css_class')
     if css_class not in ('', None):
       html_string = '<span class="%s">%s</span>' % (
-        escape(css_class),
+        html_quote(css_class),
         html_string,
       )
     return html_string
@@ -363,9 +363,9 @@ $(document).ready(function() {
                                           search_catalog_key: "%s"});
 });
 </script>""" % (
-      escape(key),
-      escape(json.dumps([x[0] for x in field.get_value('portal_type')])),
-      escape(field.get_value('catalog_index')),
+      html_quote(key),
+      html_quote(json.dumps([x[0] for x in field.get_value('portal_type')])),
+      html_quote(field.get_value('catalog_index')),
     )
 
   def render_wheel(self, field, value, REQUEST, relation_index=0,
@@ -383,10 +383,10 @@ $(document).ready(function() {
       'src="%s/images/exec16.png" alt="update..." ' \
       'name="%s/viewSearchRelatedDocumentDialog%s%s' \
       ':method"/>' % (
-      escape(portal_url()),
-      escape(portal_url.getRelativeContentURL(here.portal_selections)),
-      escape(str(relation_index)),
-      escape(sub_index_string),
+      html_quote(portal_url()),
+      html_quote(portal_url.getRelativeContentURL(here.portal_selections)),
+      html_quote(str(relation_index)),
+      html_quote(sub_index_string),
     )
 
   def render_relation_link(self, field, value, REQUEST, render_prefix=None):
@@ -408,8 +408,8 @@ $(document).ready(function() {
       selection_name = REQUEST.get('selection_name')
       if selection_name is not None:
         selection_name_html = '&amp;selection_name=%s&amp;selection_index=%s' % (
-          escape(selection_name),
-          escape(str(REQUEST.get('selection_index', 0))),
+          html_quote(selection_name),
+          html_quote(str(REQUEST.get('selection_index', 0))),
         )
       else:
         selection_name_html = ''
@@ -420,12 +420,12 @@ $(document).ready(function() {
       return '<a href="%s/%s?field_id=%s&amp;form_id=%s%s">' \
         '<img src="%s/images/jump.png" alt="jump" />' \
       '</a>' % (
-        escape(here.absolute_url()),
-        escape(field.get_value('jump_method')),
-        escape(field.id),
-        escape(field.aq_parent.id),
-        escape(selection_name_html),
-        escape(here.getPortalObject().portal_url()),
+        html_quote(here.absolute_url()),
+        html_quote(field.get_value('jump_method')),
+        html_quote(field.id),
+        html_quote(field.aq_parent.id),
+        html_quote(selection_name_html),
+        html_quote(here.getPortalObject().portal_url()),
       )
     return ''
 

product/ERP5Form/dtml/captchaFieldTales.dtml

@@ -20,7 +20,7 @@ This tab can therefore not be used.
 <dtml-if fields>
 <tr>
 <td colspan="3" class="form-title">
-  <dtml-var "_.string.capitalize(group)"> properties
+  <dtml-var group capitalize> properties
 </td>
 </tr>
 

product/ERP5Form/dtml/proxyFieldEdit.dtml

@@ -76,7 +76,7 @@ Surcharge <dtml-var meta_type> properties here.
       <dtml-if fields>
         <tr>
           <td colspan="3" class="form-title">
-            <dtml-var "_.string.capitalize(group)"> properties
+            <dtml-var group capitalize> properties
           </td>
         </tr>
 

product/ERP5Form/dtml/proxyFieldTales.dtml

@@ -78,7 +78,7 @@ This tab can therefore not be used.
       <dtml-if fields>
         <tr>
           <td colspan="3" class="form-title">
-            <dtml-var "_.string.capitalize(group)"> properties
+            <dtml-var group capitalize> properties
           </td>
         </tr>
 

product/ERP5Type/CopySupport.py

@@ -34,7 +34,6 @@ from Products.CMFCore.WorkflowCore import WorkflowException
 from Products.CMFCore.CatalogTool import CatalogTool as CMFCoreCatalogTool
 from Products.CMFActivity.Errors import ActivityPendingError
 
-from cgi import escape
 import sys
 
 _marker = object()

product/ERP5Type/patches/make_hidden_input.py

@@ -18,7 +18,7 @@ Close properly the <input /> tag
 
 import ZTUtils.Zope
 from ZTUtils.Zope import complex_marshal
-import cgi
+from Products.PythonScripts.standard import html_quote
 from Products.ERP5Type.Utils import ensure_list
 
 def make_hidden_input(*args, **kwargs):
@@ -39,7 +39,7 @@ def make_hidden_input(*args, **kwargs):
       d.update(arg)
   d.update(kwargs)
 
-  hq = lambda x:cgi.escape(x, quote=True)
+  hq = lambda x: html_quote(x)
   qlist = complex_marshal(ensure_list(d.items()))
   for i in range(len(qlist)):
       k, m, v = qlist[i]

product/Formulator/Form.py

@@ -14,7 +14,6 @@ from OFS.SimpleItem import Item
 import Acquisition
 from six.moves.urllib.parse import quote
 import os
-import string
 from six import StringIO
 
 from .Errors import ValidationError, FormValidationError, FieldDisabledError
@@ -744,7 +743,7 @@ class ZMIForm(ObjectManager, PropertyManager, RoleManager, Item, Form):
         fieldname -- the name of the field (meta_type) to add
         Result    -- empty string
         """
-        title = string.strip(title)
+        title = title.strip()
         if not title:
             title = id # title is always required, use id if not provided
         # get the field class we want to add
@@ -786,9 +785,9 @@ class ZMIForm(ObjectManager, PropertyManager, RoleManager, Item, Form):
         try:
             result = self.settings_form.validate_all(REQUEST)
         except FormValidationError as e:
-            message = "Validation error(s).<br />" + string.join(
+            message = "Validation error(s).<br />" + "<br />".join(
                 ["%s: %s" % (error.field.get_value('title'),
-                                              error.error_text) for error in e.errors], "<br />")
+                                              error.error_text) for error in e.errors])
             return self.formSettings(self, REQUEST,
                                      manage_tabs_message=message)
         # if we need to switch encoding, get xml representation before setting
@@ -906,7 +905,7 @@ class ZMIForm(ObjectManager, PropertyManager, RoleManager, Item, Form):
         field_ids = self._get_field_ids(group, REQUEST)
         if (to_group != 'Move to:' and
             self.move_field_group(field_ids, group, to_group)):
-            fields = string.join(field_ids, ", ")
+            fields = ", ".join(field_ids)
             message = "Fields %s transferred from %s to %s." % (fields,
                                                                 group,
                                                                 to_group)
@@ -920,7 +919,7 @@ class ZMIForm(ObjectManager, PropertyManager, RoleManager, Item, Form):
     def manage_add_group(self, new_group, REQUEST):
         """Adds a new group.
         """
-        group = string.strip(new_group)
+        group = new_group.strip()
         if (group and group != 'Select group' and
             self.add_group(group)):
             message = "Group %s created." % (group)
@@ -947,7 +946,7 @@ class ZMIForm(ObjectManager, PropertyManager, RoleManager, Item, Form):
         """Renames group.
         """
         if 'new_name' in REQUEST:
-            new_name = string.strip(REQUEST['new_name'])
+            new_name = REQUEST['new_name'].strip()
             if self.rename_group(group, new_name):
                 message = "Group %s renamed to %s." % (group, new_name)
             else:

product/Formulator/FormToXML.py

 # -*- coding: utf-8 -*-
 import six
 
-from cgi import escape
 from lxml import etree
-from lxml.etree import Element, SubElement, CDATA
+from lxml.etree import Element, SubElement
 from lxml.builder import E
 
 def formToXML(form, prologue=1):
@@ -21,7 +20,7 @@ def formToXML(form, prologue=1):
         else:
           value = 'false'
       sub_element = SubElement(form_as_xml, id)
-      sub_element.text = escape(str(value)).decode(encoding)
+      sub_element.text = str(value).decode(encoding)
     groups = SubElement(form_as_xml, 'groups')
     # export form groups
     for group in form.get_groups(include_empty=1):
@@ -58,7 +57,7 @@ def formToXML(form, prologue=1):
             if not isinstance(value, six.string_types):
               value = str(value)
             value_element = SubElement(values_element, key)
-          value_element.text = escape(str(value)).decode(encoding)
+          value_element.text = str(value).decode(encoding)
 
         tales_element = SubElement(field_element, 'tales')
         items = field.tales.items()
@@ -66,11 +65,11 @@ def formToXML(form, prologue=1):
         for key, value in items:
           if value:
             tale_element = SubElement(tales_element, key)
-            tale_element.text = escape(str(value._text)).decode(encoding)
+            tale_element.text = str(value._text).decode(encoding)
         messages = SubElement(field_element, 'messages')
         for message_key in field.get_error_names():
           message_element = SubElement(messages, 'message', name=message_key)
-          message_element.text = escape(field.get_error_message(message_key)).decode(encoding)
+          message_element.text = field.get_error_message(message_key).decode(encoding)
         # Special attribute for ProxyFields *delegated_list*
         delegated_list = getattr(field, 'delegated_list', [])
         if delegated_list:
@@ -78,8 +77,6 @@ def formToXML(form, prologue=1):
           delegated_list.sort()
           [SubElement(delegated_list_element, delegated) for delegated in delegated_list]
 
-    form_as_string = etree.tostring(form_as_xml, encoding='utf-8',
-                                    xml_declaration=True, pretty_print=True)
     if form.unicode_mode:
       return etree.tostring(form_as_xml, encoding='utf-8',
                                     xml_declaration=True, pretty_print=True)

product/Formulator/ListTextAreaField.py

 from __future__ import absolute_import
-import string
 from .DummyField import fields
 from . import Widget, Validator
 from .Field import ZMIField
@@ -17,7 +16,7 @@ class ListTextAreaWidget(Widget.TextAreaWidget):
         for element_text, element_value in value:
             lines.append("%s | %s" % (element_text, element_value))
         return Widget.TextAreaWidget.render(self, field, key,
-                                            string.join(lines, '\n'),
+                                            '\n'.join(lines),
                                             REQUEST)
 
 ListTextAreaWidgetInstance = ListTextAreaWidget()
@@ -30,14 +29,14 @@ class ListLinesValidator(Validator.LinesValidator):
         value = Validator.LinesValidator.validate(self, field, key, REQUEST)
         result = []
         for line in value:
-            elements = string.split(line, "|")
+            elements = line.split("|")
             if len(elements) >= 2:
                 text, value = elements[:2]
             else:
                 text = line
                 value = line
-            text = string.strip(text)
-            value = string.strip(value)
+            text = text.strip()
+            value = value.strip()
             result.append((text, value))
         return result
 

product/Formulator/Widget.py

@@ -6,7 +6,7 @@ import string
 from .DummyField import fields
 from DocumentTemplate.DT_Util import html_quote
 from DateTime import DateTime, Timezones
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 import types
 from DocumentTemplate.ustr import ustr
 from six.moves.urllib.parse import urljoin
@@ -441,7 +441,7 @@ class TextWidget(Widget):
       old_value = [str(value)]
     value = []
     for line in old_value:
-      value.append(escape(line))
+      value.append(html_quote(line))
     value = '<br/>'.join(value)
 
     extra = field.get_value('extra')
@@ -686,7 +686,7 @@ class TextAreaWidget(Widget):
                 value = str(value)
             value = value.split('\n')
         line_separator = '<br/>'
-        value_list = [escape(part).replace('\n', line_separator) for part in value]
+        value_list = [html_quote(part).replace('\n', line_separator) for part in value]
         value = line_separator.join(value_list)
         return render_element("div",
                               css_class=field.get_value('css_class'),
@@ -751,7 +751,7 @@ class LinesTextAreaWidget(TextAreaWidget):
       value = value.split('\n')
     line_separator = field.get_value('view_separator')
 
-    value_list = [escape(convertToString(part)).replace('\n', line_separator) for part in value]
+    value_list = [html_quote(convertToString(part)).replace('\n', line_separator) for part in value]
     value = line_separator.join(value_list)
     return render_element("div",
                           css_class=field.get_value('css_class'),
@@ -898,14 +898,14 @@ class SingleItemsWidget(ItemsWidget):
         item_value = item
 
       if item_value == value and not selected_found:
-        rendered_item = self.render_selected_item(escape(ustr(item_text)),
+        rendered_item = self.render_selected_item(html_quote(ustr(item_text)),
                                                   item_value,
                                                   key,
                                                   css_class,
                                                   extra_item)
         selected_found = 1
       else:
-        rendered_item = self.render_item(escape(ustr(item_text)),
+        rendered_item = self.render_item(html_quote(ustr(item_text)),
                                           item_value,
                                           key,
                                           css_class,
@@ -915,7 +915,7 @@ class SingleItemsWidget(ItemsWidget):
 
     # XXX We want to make sure that we always have the current value in items. -yo
     if not selected_found and value:
-      value = escape(ustr(value))
+      value = html_quote(ustr(value))
       rendered_item = self.render_selected_item('??? (%s)' % value,
                                                 value,
                                                 key,
@@ -934,7 +934,7 @@ class SingleItemsWidget(ItemsWidget):
         return ''
     title_list = [x[0] for x in field.get_value("items", REQUEST=REQUEST) if x[1]==value]
     if len(title_list) == 0:
-      return "??? (%s)" % escape(value)
+      return "??? (%s)" % html_quote(value)
     else:
       return title_list[0]
     return value
@@ -1029,7 +1029,7 @@ class MultiItemsWidget(ItemsWidget):
 
       if item_value in value:
         rendered_item = self.render_selected_item(
-            escape(ustr(item_text)),
+            html_quote(ustr(item_text)),
             item_value,
             key,
             css_class,
@@ -1039,7 +1039,7 @@ class MultiItemsWidget(ItemsWidget):
         selected_found[index] = 1
       else:
         rendered_item = self.render_item(
-            escape(ustr(item_text)),
+            html_quote(ustr(item_text)),
             item_value,
             key,
             css_class,
@@ -1050,7 +1050,7 @@ class MultiItemsWidget(ItemsWidget):
     for index in range(len(value)):
       v = value[index]
       if index not in selected_found and v:
-        v = escape(v)
+        v = html_quote(v)
         rendered_item = self.render_selected_item('??? (%s)' % v,
                                                   v,
                                                   key,

product/Formulator/XMLObjects.py

 # -*- coding: utf-8 -*-
 from xml.dom.minidom import parse, parseString, Node
-from xml.sax.saxutils import unescape
 # an extremely simple system for loading in XML into objects
 
 class Object:
@@ -41,7 +40,7 @@ def attributeToObject(parent, node):
 
 def textToObject(parent, node):
     # add this text to parents text content
-    parent.text += unescape(node.data)
+    parent.text += node.data
 
 def processingInstructionToObject(parent, node):
     # don't do anything with these

product/Formulator/dtml/FieldHelpTopic.dtml

@@ -3,7 +3,7 @@
 <dtml-in get_groups>
 <dtml-let group=sequence-item fields="get_fields_in_group(group)">
   <dtml-if fields>
-    <h4><i><dtml-var "_.string.capitalize(group)"> properties</i></h4>
+    <h4><i><dtml-var group capitalize> properties</i></h4>
   <dtml-in fields>
   <dtml-let field=sequence-item>
    <b><dtml-var "field.get_value('title')"> (<dtml-var "field.id">)</b>

product/Formulator/dtml/fieldEdit.dtml

@@ -17,7 +17,7 @@ Edit <dtml-var meta_type> properties here.
 <dtml-if fields>
 <tr>
 <td colspan="4" class="form-title">
-  <dtml-var "_.string.capitalize(group)"> properties
+  <dtml-var group capitalize> properties
 </td>
 </tr>
 

product/Formulator/dtml/fieldOverride.dtml

@@ -14,7 +14,7 @@ Edit <dtml-var meta_type> method overrides here.
 <dtml-if fields>
 <tr>
 <td colspan="3" class="form-title">
-  <dtml-var "_.string.capitalize(group)"> properties
+  <dtml-var group capitalize> properties
 </td>
 </tr>
 

product/Formulator/dtml/fieldTales.dtml

@@ -21,7 +21,7 @@ This tab can therefore not be used.
 <dtml-if fields>
 <tr>
 <td colspan="3" class="form-title">
-  <dtml-var "_.string.capitalize(group)"> properties
+  <dtml-var group capitalize> properties
 </td>
 </tr>
 

product/HBTreeFolder2/HBTreeFolder2.py

@@ -13,7 +13,7 @@
 ##############################################################################
 
 import operator
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 from itertools import chain, islice
 import six
 try:
@@ -309,8 +309,8 @@ class HBTreeFolder2Base (Persistent):
 
         formatted = [listtext0 % pref_rows]
         for optID in islice(self.objectIds(), b_start - 1, b_end):
-            optID = escape(optID)
-            formatted.append(listtext1 % (escape(optID, quote=1), optID))
+            optID = html_quote(optID)
+            formatted.append(listtext1 % (html_quote(optID), optID))
         formatted.append(listtext2)
         return {'b_start': b_start, 'b_end': b_end,
                 'prev_batch_url': prev_url,

product/PortalTransforms/transforms/python.py

@@ -15,7 +15,6 @@ Original code from active state recipe
 """
 __revision__ = '$Id: python.py 3661 2005-02-23 17:05:31Z tiran $'
 
-import string
 import keyword, token, tokenize
 from six.moves import cStringIO as StringIO
 
@@ -35,7 +34,7 @@ class Parser:
     def __init__(self, raw, tags, out):
         """ Store the source text.
         """
-        self.raw = string.strip(string.expandtabs(raw))
+        self.raw = raw.expandtabs().strip()
         self.out = out
         self.tags = tags
 
@@ -46,7 +45,7 @@ class Parser:
         self.lines = [0, 0]
         pos = 0
         while 1:
-            pos = string.find(self.raw, '\n', pos) + 1
+            pos = self.raw.find('\n', pos) + 1
             if not pos: break
             self.lines.append(pos)
         self.lines.append(len(self.raw))

product/PortalTransforms/transforms/safe_html.py

@@ -3,7 +3,7 @@ from six import unichr
 from zLOG import ERROR
 from six.moves.html_parser import HTMLParser, HTMLParseError
 import re
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 import codecs
 
 from Products.PortalTransforms.interfaces import ITransform
@@ -220,7 +220,7 @@ class StrippingParser(HTMLParser):
 
     def handle_data(self, data):
         if self.suppress: return
-        data = escape(data)
+        data = html_quote(data)
         if self.original_charset and isinstance(data, str):
             data = data.decode(self.original_charset)
         self.result.append(data)
@@ -294,7 +294,7 @@ class StrippingParser(HTMLParser):
                             self.original_charset = charset
                         v = charset_parser.sub(
                             CharsetReplacer(self.default_encoding), v)
-                    self.result.append(' %s="%s"' % (k, escape(v, True)))
+                    self.result.append(' %s="%s"' % (k, html_quote(v, True)))
 
             #UNUSED endTag = '</%s>' % tag
             if safeToInt(self.valid.get(tag)):

product/ZSQLCatalog/SQLCatalog.py

@@ -49,7 +49,6 @@ from inspect import CO_VARKEYWORDS
 from functools import wraps
 import time
 from six.moves import urllib
-import string
 import pprint
 import re
 import warnings
@@ -1216,7 +1215,7 @@ class Catalog(Folder,
 
     words = 0
     obj = REQUEST.PARENTS[1]
-    path = string.join(obj.getPhysicalPath(), '/')
+    path = '/'.join(obj.getPhysicalPath())
 
     results = self.aq_parent.ZopeFindAndApply(obj,
                     obj_metatypes=obj_metatypes,

product/ZSQLCatalog/ZSQLCatalog.py

@@ -35,7 +35,7 @@ from AccessControl import ClassSecurityInfo
 from DocumentTemplate.security import RestrictedDTML
 from Products.CMFCore.utils import getToolByName
 from Products.ERP5Type.Cache import clearCache
-import string, sys
+import sys
 import time
 from ZODB.POSException import ConflictError
 
@@ -532,7 +532,7 @@ class ZCatalog(Folder, Persistent, Implicit):
   def manage_edit(self, RESPONSE, URL1, threshold=1000, REQUEST=None):
     """ edit the catalog """
     if type(threshold) is not type(1):
-      threshold=string.atoi(threshold)
+      threshold=int(threshold)
     self.threshold = threshold
 
     RESPONSE.redirect(URL1 + '/manage_main?manage_tabs_message=Catalog%20Changed')
@@ -616,7 +616,7 @@ class ZCatalog(Folder, Persistent, Implicit):
 
     words = 0
     obj = REQUEST.PARENTS[1]
-    path = string.join(obj.getPhysicalPath(), '/')
+    path = '/'.join(obj.getPhysicalPath())
 
 
     results = self.ZopeFindAndApply(obj,
@@ -1012,7 +1012,7 @@ class ZCatalog(Folder, Persistent, Implicit):
     """
       Return the attribute names as a single string
     """
-    return string.join(self.names(sql_catalog_id=sql_catalog_id).get(column, ('',)),' ')
+    return ' '.join(self.names(sql_catalog_id=sql_catalog_id).get(column, ('',)))
 
   def _searchable_arguments(self, sql_catalog_id=None):
     catalog = self.getSQLCatalog(sql_catalog_id)
@@ -1178,7 +1178,7 @@ class ZCatalog(Folder, Persistent, Implicit):
         and
         (not obj_searchterm or
          (hasattr(ob, 'PrincipiaSearchSource') and
-          string.find(ob.PrincipiaSearchSource(), obj_searchterm) >= 0
+          ob.PrincipiaSearchSource().find(obj_searchterm) >= 0
           ))
         and
         (not obj_expr or expr_match(ob, obj_expr))
@@ -1217,7 +1217,7 @@ class ZCatalog(Folder, Persistent, Implicit):
     No exceptions are raised.
     """
     script=REQUEST.script
-    if string.find(path, script) != 0:
+    if path.find(script) != 0:
       path='%s/%s' % (script, path)
     try:
       return REQUEST.resolve_url(path)
@@ -1267,7 +1267,7 @@ class ZCatalog(Folder, Persistent, Implicit):
           if ob is None:
             removed.append(path)
             continue
-        ppath = string.join(ob.getPhysicalPath(), '/')
+        ppath = '/'.join(ob.getPhysicalPath())
         if path != ppath:
           fixed.append((path, ppath))
         else: