cgi.escape is deprecated in Python 3.2 and removed in Python 3.8.

b3039664 · Kazuhiko Shiozaki · ce63a24d · b3039664 · b3039664 · b3039664
Commit b3039664 authored Sep 15, 2022 by Kazuhiko Shiozaki
13 changed files
--- a/bt5/erp5_corporate_identity/SkinTemplateItem/portal_skins/erp5_corporate_identity_web/WebPage_substituteDocumentationList.py
+++ b/bt5/erp5_corporate_identity/SkinTemplateItem/portal_skins/erp5_corporate_identity_web/WebPage_substituteDocumentationList.py
-import cgi
+from Products.PythonScripts.standard import html_quote

-def escapeInnerHTML(string_to_escape):
-  return cgi.escape("%s" % string_to_escape, quote=False)
-
-def escapeAttributeProperty(string_to_escape):
-  return cgi.escape("%s" % string_to_escape, quote=True)
+def escape(string_to_escape):
+  return html_quote("%s" % string_to_escape)

 web_site_value = context.getWebSiteValue()

@@ -15,7 +12,7 @@ if (web_site_value is not None):
  for category_relative_url in category_relative_url_list:
    base_category, _ = category_relative_url.split('/', 1)

-    result[category_relative_url.replace('/', '__')] = '<ul>%s</ul>' % ''.join(['<li><a href="%s">%s</a></li>' % (escapeAttributeProperty(x.getReference()), escapeInnerHTML(x.getTitle())) for x in web_site_value.getDocumentValueList(
+    result[category_relative_url.replace('/', '__')] = '<ul>%s</ul>' % ''.join(['<li><a href="%s">%s</a></li>' % (escape(x.getReference()), escape(x.getTitle())) for x in web_site_value.getDocumentValueList(
      sort_on=[['title', 'ASC']],
      **{'%s__relative_url' % base_category: category_relative_url}
    )])

--- a/bt5/erp5_forge/SkinTemplateItem/portal_skins/erp5_toolbox/Base_checkSkinFolderForms.py
+++ b/bt5/erp5_forge/SkinTemplateItem/portal_skins/erp5_toolbox/Base_checkSkinFolderForms.py
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 portal = context.getPortalObject()
 skin_folder = portal.portal_skins[original_skin_name]
 new_skin_folder = portal.portal_skins[new_skin_name]
@@ -38,7 +38,7 @@ for original_form in skin_folder.objectValues():
          original_field.absolute_url(), new_field.absolute_url()))

      output_list += ("<tr><td>%s</td></tr>" % "</td><td>".join(
-            map(escape, ('[%s]' % key if T else key, str(old), str(new[key]))))
+            map(html_quote, ('[%s]' % key if T else key, str(old), str(new[key]))))
        for T, old, new in ((0, original_value_dict, new_value_dict),
                            (1, original_value_tales, new_value_tales))
        for key, old in old.iteritems()

--- a/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateNavigationHTML.py
+++ b/bt5/erp5_web_js_style/SkinTemplateItem/portal_skins/erp5_web_js_style_ui/WebSection_generateNavigationHTML.py
-import cgi
+from Products.PythonScripts.standard import html_quote
 import re

 web_section = context
 web_site = web_section.getWebSiteValue()

 def _(string_to_escape):
-  return cgi.escape("%s" % string_to_escape, quote=False)
-
-
-def __(string_to_escape):
-  return cgi.escape("%s" % string_to_escape, quote=True)
+  return html_quote("%s" % string_to_escape)


 def generateSectionListHTML(result_list, section_list):
@@ -18,7 +14,7 @@ def generateSectionListHTML(result_list, section_list):
    for section in section_list:
      # Add missing / suffix to get correct relative url generation
      # XXX Fix WebSection_getSiteMapTree instead, but no idea what would be the site effects
-      result_list.append('<li><a href="%s">%s</a>' % (__(section['url'] + '/'), _(section['translated_title'])))
+      result_list.append('<li><a href="%s">%s</a>' % (_(section['url'] + '/'), _(section['translated_title'])))
      generateSectionListHTML(result_list, section['subsection'])
      result_list.append('</li>')
    result_list.append('</ul>')
@@ -41,8 +37,8 @@ def generateDocumentListHTML(result_list, document_list):
  _(section['translated_title']),
  ('<p class="p-summary">%s</p>' % _(section['description'])) if section.get('description') else '',
  ('<p class="p-author h-card">%s</p>' % _(section['document'].Document_getContributorTitleList()[0])),
-  __(section['url']),
-  __(publication_date.HTML4()),
+  _(section['url']),
+  _(publication_date.HTML4()),
  _(publication_date.rfc822())
 ))
    result_list.append('</ul></aside>')
@@ -65,12 +61,12 @@ for language in available_language_set:
    website_url_set[language] = re.sub(website_url_pattern, r'%s/%s/\1' % (root_website_url, language), web_site.absolute_url())

 for language, url in website_url_set.items():
-  result_list += '<li><a href="%s" hreflang="%s"><abbr lang="%s">%s</abbr></a></li>' % (__(url), __(language), __(language), _(language))
+  result_list += '<li><a href="%s" hreflang="%s"><abbr lang="%s">%s</abbr></a></li>' % (_(url), _(language), _(language), _(language))
 result_list.append('</ul></nav>')

 # Sitemap
 result_list.append('<nav id="sitemap">')
-result_list.append('<a href="%s">%s</a>' % (__(web_site.absolute_url()), _(web_site.getTranslatedTitle())))
+result_list.append('<a href="%s">%s</a>' % (_(web_site.absolute_url()), _(web_site.getTranslatedTitle())))
 generateSectionListHTML(result_list, web_site.WebSection_getSiteMapTree(include_document=False, depth=99))
 result_list.append('</nav>')


--- a/product/ERP5/Extensions/Grep.py
+++ b/product/ERP5/Extensions/Grep.py
 import re
-import cgi
+from Products.PythonScripts.standard import html_quote
 from Acquisition import aq_base
 from AccessControl import Unauthorized
 from Products.CMFCore.utils import _checkPermission
@@ -73,8 +73,8 @@ def grep(self, pattern, A=0, B=0, r=1, i=0, highlight=1, first_occurence=0):
  html_element_list = [doctype, html, head, '<body>' '<p>']
  result_list = []
  for url, path, line in result:
-    path = cgi.escape(path)
-    line = cgi.escape(line)
+    path = html_quote(path)
+    line = html_quote(line)
    if highlight:
      line = rx.sub('<span class="highlight">\g<0></span>', line)
    if ExternalEditor is None:

--- a/product/ERP5/bin/genbt5list
+++ b/product/ERP5/bin/genbt5list
@@ -220,8 +220,8 @@ def generateInformation(dir, info=id, err=None):
      if str is not bytes:
        k = k.encode()
      for v in (v,) if type(v) is bytes else v:
-        xml.write(b'    <%s>%s</%s>\n' % (k, escape(v) if str is bytes else
-                                             escape(v.decode()).encode(), k))
+        xml.write(b'    <%s>%s</%s>\n' % (k, escape(v, quote=False) if str is bytes else
+                                             escape(v.decode(), quote=False).encode(), k))
    xml.write(b'  </template>\n')
    info('done\n')
  xml.write(b'</repository>\n')

--- a/product/ERP5/bootstrap/erp5_core/ToolComponentTemplateItem/portal_components/tool.erp5.IntrospectionTool.py
+++ b/product/ERP5/bootstrap/erp5_core/ToolComponentTemplateItem/portal_components/tool.erp5.IntrospectionTool.py
@@ -40,7 +40,7 @@ from AccessControl.SecurityManagement import setSecurityManager
 from Products.ERP5Type.Utils import _setSuperSecurityManager
 from App.config import getConfiguration
 from Products.ERP5Type.Cache import CachingMethod
-from cgi import escape
+from Products.PythonScripts.standard import html_quote

 import logging

@@ -257,14 +257,14 @@ class IntrospectionTool(LogMixin, BaseTool):
    """
    Tail the Event Log.
    """
-    return escape(self._tailFile(self.__getEventLogPath(), 500))
+    return html_quote(self._tailFile(self.__getEventLogPath(), 500))

  security.declareProtected(Permissions.ManagePortal, 'tailAccessLog')
  def tailAccessLog(self):
    """
    Tail the Event Log.
    """
-    return escape(self._tailFile(self.__getAccessLogPath(), 50))
+    return html_quote(self._tailFile(self.__getAccessLogPath(), 50))

  security.declareProtected(Permissions.ManagePortal, 'getAccessLog')
  def getAccessLog(self, compressed=1, REQUEST=None):

--- a/product/ERP5Form/ListBox.py
+++ b/product/ERP5Form/ListBox.py
@@ -53,9 +53,9 @@ from ZTUtils import make_query

 from Products.ERP5Type.Globals import InitializeClass, get_request
 from Products.PythonScripts.Utility import allow_class
+from Products.PythonScripts.standard import html_quote
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from warnings import warn
-import cgi
 import six

 DEFAULT_LISTBOX_DISPLAY_STYLE = 'table'
@@ -2475,7 +2475,7 @@ class ListBoxHTMLRendererLine(ListBoxRendererLine):
          # If error on current field, we should display message
          if key in error_dict:
            error_text = error_dict[key].error_text
-            error_text = cgi.escape(error_text)
+            error_text = html_quote(error_text)
            if isinstance(error_text, str):
              error_mapping = getattr(error_dict[key], 'error_mapping', None)
              if error_mapping is not None:
@@ -2521,7 +2521,7 @@ class ListBoxHTMLRendererLine(ListBoxRendererLine):
            html += u' <span class="error">%s</span>' % error_message
      else:
        # If not editable, show a static text with a link, if enabled.
-        html = cgi.escape(processed_value)
+        html = html_quote(processed_value)
        if url is not None:
          # JPS-XXX - I think we should not display a URL for objects
          # which do not have the View permission

--- a/product/ERP5Form/MultiRelationField.py
+++ b/product/ERP5Form/MultiRelationField.py
@@ -37,7 +37,7 @@ from Products.ERP5Type.Message import translateString
 from AccessControl import ClassSecurityInfo
 from Products.Formulator.DummyField import fields
 from Products.ERP5Type.Globals import get_request
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 import json

 # Max. number of catalog result
@@ -311,8 +311,8 @@ class MultiRelationStringFieldWidget(Widget.LinesTextAreaWidget,
        value = value,
      html_string = '<br />'.join(
        '<a class="relationfieldlink" href="%s">%s</a>' % (
-          escape(jump_reference.absolute_url()),
-          escape(display_value),
+          html_quote(jump_reference.absolute_url()),
+          html_quote(display_value),
        )
        for jump_reference, display_value in zip(
          getattr(
@@ -345,7 +345,7 @@ class MultiRelationStringFieldWidget(Widget.LinesTextAreaWidget,
    css_class = field.get_value('css_class')
    if css_class not in ('', None):
      html_string = '<span class="%s">%s</span>' % (
-        escape(css_class),
+        html_quote(css_class),
        html_string,
      )
    return html_string
@@ -363,9 +363,9 @@ $(document).ready(function() {
                                          search_catalog_key: "%s"});
 });
 </script>""" % (
-      escape(key),
-      escape(json.dumps([x[0] for x in field.get_value('portal_type')])),
-      escape(field.get_value('catalog_index')),
+      html_quote(key),
+      html_quote(json.dumps([x[0] for x in field.get_value('portal_type')])),
+      html_quote(field.get_value('catalog_index')),
    )

  def render_wheel(self, field, value, REQUEST, relation_index=0,
@@ -383,10 +383,10 @@ $(document).ready(function() {
      'src="%s/images/exec16.png" alt="update..." ' \
      'name="%s/viewSearchRelatedDocumentDialog%s%s' \
      ':method"/>' % (
-      escape(portal_url()),
-      escape(portal_url.getRelativeContentURL(here.portal_selections)),
-      escape(str(relation_index)),
-      escape(sub_index_string),
+      html_quote(portal_url()),
+      html_quote(portal_url.getRelativeContentURL(here.portal_selections)),
+      html_quote(str(relation_index)),
+      html_quote(sub_index_string),
    )

  def render_relation_link(self, field, value, REQUEST, render_prefix=None):
@@ -408,8 +408,8 @@ $(document).ready(function() {
      selection_name = REQUEST.get('selection_name')
      if selection_name is not None:
        selection_name_html = '&amp;selection_name=%s&amp;selection_index=%s' % (
-          escape(selection_name),
-          escape(str(REQUEST.get('selection_index', 0))),
+          html_quote(selection_name),
+          html_quote(str(REQUEST.get('selection_index', 0))),
        )
      else:
        selection_name_html = ''
@@ -420,12 +420,12 @@ $(document).ready(function() {
      return '<a href="%s/%s?field_id=%s&amp;form_id=%s%s">' \
        '<img src="%s/images/jump.png" alt="jump" />' \
      '</a>' % (
-        escape(here.absolute_url()),
-        escape(field.get_value('jump_method')),
-        escape(field.id),
-        escape(field.aq_parent.id),
-        escape(selection_name_html),
-        escape(here.getPortalObject().portal_url()),
+        html_quote(here.absolute_url()),
+        html_quote(field.get_value('jump_method')),
+        html_quote(field.id),
+        html_quote(field.aq_parent.id),
+        html_quote(selection_name_html),
+        html_quote(here.getPortalObject().portal_url()),
      )
    return ''


--- a/product/ERP5Type/CopySupport.py
+++ b/product/ERP5Type/CopySupport.py
@@ -36,7 +36,6 @@ from Products.CMFCore.WorkflowCore import WorkflowException
 from Products.CMFCore.CatalogTool import CatalogTool as CMFCoreCatalogTool
 from Products.CMFActivity.Errors import ActivityPendingError

-from cgi import escape
 import sys

 _marker = object()

--- a/product/ERP5Type/patches/make_hidden_input.py
+++ b/product/ERP5Type/patches/make_hidden_input.py
@@ -18,7 +18,7 @@ Close properly the <input /> tag

 import ZTUtils.Zope
 from ZTUtils.Zope import complex_marshal
-import cgi
+from Products.PythonScripts.standard import html_quote
 from Products.ERP5Type.Utils import ensure_list

 def make_hidden_input(*args, **kwargs):
@@ -39,7 +39,7 @@ def make_hidden_input(*args, **kwargs):
      d.update(arg)
  d.update(kwargs)

-  hq = lambda x:cgi.escape(x, quote=True)
+  hq = lambda x: html_quote(x)
  qlist = complex_marshal(ensure_list(d.items()))
  for i in range(len(qlist)):
      k, m, v = qlist[i]

--- a/product/Formulator/Widget.py
+++ b/product/Formulator/Widget.py
@@ -6,7 +6,7 @@ import string
 from .DummyField import fields
 from DocumentTemplate.DT_Util import html_quote
 from DateTime import DateTime, Timezones
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 import types
 from DocumentTemplate.ustr import ustr
 from six.moves.urllib.parse import urljoin
@@ -441,7 +441,7 @@ class TextWidget(Widget):
      old_value = [str(value)]
    value = []
    for line in old_value:
-      value.append(escape(line))
+      value.append(html_quote(line))
    value = '<br/>'.join(value)

    extra = field.get_value('extra')
@@ -686,7 +686,7 @@ class TextAreaWidget(Widget):
                value = str(value)
            value = value.split('\n')
        line_separator = '<br/>'
-        value_list = [escape(part).replace('\n', line_separator) for part in value]
+        value_list = [html_quote(part).replace('\n', line_separator) for part in value]
        value = line_separator.join(value_list)
        return render_element("div",
                              css_class=field.get_value('css_class'),
@@ -751,7 +751,7 @@ class LinesTextAreaWidget(TextAreaWidget):
      value = value.split('\n')
    line_separator = field.get_value('view_separator')

-    value_list = [escape(convertToString(part)).replace('\n', line_separator) for part in value]
+    value_list = [html_quote(convertToString(part)).replace('\n', line_separator) for part in value]
    value = line_separator.join(value_list)
    return render_element("div",
                          css_class=field.get_value('css_class'),
@@ -898,14 +898,14 @@ class SingleItemsWidget(ItemsWidget):
        item_value = item

      if item_value == value and not selected_found:
-        rendered_item = self.render_selected_item(escape(ustr(item_text)),
+        rendered_item = self.render_selected_item(html_quote(ustr(item_text)),
                                                  item_value,
                                                  key,
                                                  css_class,
                                                  extra_item)
        selected_found = 1
      else:
-        rendered_item = self.render_item(escape(ustr(item_text)),
+        rendered_item = self.render_item(html_quote(ustr(item_text)),
                                          item_value,
                                          key,
                                          css_class,
@@ -915,7 +915,7 @@ class SingleItemsWidget(ItemsWidget):

    # XXX We want to make sure that we always have the current value in items. -yo
    if not selected_found and value:
-      value = escape(ustr(value))
+      value = html_quote(ustr(value))
      rendered_item = self.render_selected_item('??? (%s)' % value,
                                                value,
                                                key,
@@ -934,7 +934,7 @@ class SingleItemsWidget(ItemsWidget):
        return ''
    title_list = [x[0] for x in field.get_value("items", REQUEST=REQUEST) if x[1]==value]
    if len(title_list) == 0:
-      return "??? (%s)" % escape(value)
+      return "??? (%s)" % html_quote(value)
    else:
      return title_list[0]
    return value
@@ -1029,7 +1029,7 @@ class MultiItemsWidget(ItemsWidget):

      if item_value in value:
        rendered_item = self.render_selected_item(
-            escape(ustr(item_text)),
+            html_quote(ustr(item_text)),
            item_value,
            key,
            css_class,
@@ -1039,7 +1039,7 @@ class MultiItemsWidget(ItemsWidget):
        selected_found[index] = 1
      else:
        rendered_item = self.render_item(
-            escape(ustr(item_text)),
+            html_quote(ustr(item_text)),
            item_value,
            key,
            css_class,
@@ -1050,7 +1050,7 @@ class MultiItemsWidget(ItemsWidget):
    for index in range(len(value)):
      v = value[index]
      if index not in selected_found and v:
-        v = escape(v)
+        v = html_quote(v)
        rendered_item = self.render_selected_item('??? (%s)' % v,
                                                  v,
                                                  key,

--- a/product/HBTreeFolder2/HBTreeFolder2.py
+++ b/product/HBTreeFolder2/HBTreeFolder2.py
@@ -13,7 +13,7 @@
 ##############################################################################

 import operator
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 from itertools import chain, islice
 import six
 try:
@@ -309,8 +309,8 @@ class HBTreeFolder2Base (Persistent):

        formatted = [listtext0 % pref_rows]
        for optID in islice(self.objectIds(), b_start - 1, b_end):
-            optID = escape(optID)
-            formatted.append(listtext1 % (escape(optID, quote=1), optID))
+            optID = html_quote(optID)
+            formatted.append(listtext1 % (html_quote(optID), optID))
        formatted.append(listtext2)
        return {'b_start': b_start, 'b_end': b_end,
                'prev_batch_url': prev_url,

--- a/product/PortalTransforms/transforms/safe_html.py
+++ b/product/PortalTransforms/transforms/safe_html.py
@@ -3,7 +3,7 @@ from six import unichr
 from zLOG import ERROR
 from six.moves.html_parser import HTMLParser
 import re
-from cgi import escape
+from Products.PythonScripts.standard import html_quote
 import codecs

 from Products.PortalTransforms.interfaces import ITransform
@@ -220,7 +220,7 @@ class StrippingParser(HTMLParser):

    def handle_data(self, data):
        if self.suppress: return
-        data = escape(data)
+        data = html_quote(data)
        if self.original_charset and isinstance(data, str):
            data = data.decode(self.original_charset)
        self.result.append(data)
@@ -294,7 +294,7 @@ class StrippingParser(HTMLParser):
                            self.original_charset = charset
                        v = charset_parser.sub(
                            CharsetReplacer(self.default_encoding), v)
-                    self.result.append(' %s="%s"' % (k, escape(v, True)))
+                    self.result.append(' %s="%s"' % (k, html_quote(v, True)))

            #UNUSED endTag = '</%s>' % tag
            if safeToInt(self.valid.get(tag)):