Commit e0c78ffe authored by Ivan Tyagov's avatar Ivan Tyagov

Remove empty lines.

Add check that will prevent saving bad HTML content (illegal tags, javascript code ..) for TextDocument.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@15001 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 785cab6f
...@@ -27,14 +27,13 @@ ...@@ -27,14 +27,13 @@
############################################################################## ##############################################################################
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo
from Products.CMFCore.WorkflowCore import WorkflowMethod from Products.CMFCore.WorkflowCore import WorkflowMethod
from Products.CMFCore.utils import getToolByName from Products.CMFCore.utils import getToolByName
from Products.CMFCore.utils import _setCacheHeaders from Products.CMFCore.utils import _setCacheHeaders
from Products.ERP5Type import Permissions, PropertySheet, Constraint, Interface from Products.ERP5Type import Permissions, PropertySheet, Constraint, Interface
from Products.ERP5.Document.Document import Document from Products.ERP5.Document.Document import Document
from Products.ERP5Type.WebDAVSupport import TextContent from Products.ERP5Type.WebDAVSupport import TextContent
from Products.CMFDefault.utils import isHTMLSafe
import re import re
DEFAULT_TEXT_FORMAT = 'text/html' DEFAULT_TEXT_FORMAT = 'text/html'
...@@ -108,7 +107,15 @@ class TextDocument(Document, TextContent): ...@@ -108,7 +107,15 @@ class TextDocument(Document, TextContent):
kw.setdefault('text_format', format) kw.setdefault('text_format', format)
kw.setdefault('text_content', text_content) kw.setdefault('text_content', text_content)
del kw['file'] del kw['file']
Document._edit(self, **kw) # check if it's safe to save HTML content
# By default FCKEditor used to edit Web Pages wouldn't allow inserting
# HTML tags (will replace them accordingly) so this is the last possible
# step where we can check if any other scripts wouldn't try to set manually
# bad HTML content.
if isHTMLSafe(kw['text_content']):
Document._edit(self, **kw)
else:
raise ValueError, "HTML contains illegal tags."
security.declareProtected( Permissions.ModifyPortalContent, 'edit' ) security.declareProtected( Permissions.ModifyPortalContent, 'edit' )
edit = WorkflowMethod( _edit ) edit = WorkflowMethod( _edit )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment