0001-template-escape-substitution-variables-7860.patch
tests/test_fields.py | ||
---|---|---|
128 | 128 |
field.add_to_form(form) |
129 | 129 |
assert '<p>Foobar</p>' in str(form.render()) |
130 | 130 | |
131 |
# test for proper escaping of substitution variables |
|
132 |
field = fields.CommentField(label='[foo]') |
|
133 |
form = Form() |
|
134 |
field.add_to_form(form) |
|
135 |
assert '<p>1 < 3</p>' in str(form.render()) |
|
136 | ||
131 | 137 |
# test for html content |
132 | 138 |
field = fields.CommentField(label='<p>Foobar</p>') |
133 | 139 |
form = Form() |
tests/test_prefill.py | ||
---|---|---|
57 | 57 | |
58 | 58 | |
59 | 59 |
def test_prefill_formula_substition_variable(): |
60 |
pub.substitutions.get_context_variables = lambda: {'test': 'value'} |
|
60 |
pub.substitutions.get_context_variables = lambda escape: {'test': 'value'}
|
|
61 | 61 |
field = fields.Field() |
62 | 62 |
field.prefill = {'type': 'formula', 'value': 'test'} |
63 | 63 |
wcs/data_sources.py | ||
---|---|---|
104 | 104 |
# - three elements, (id, text, key) |
105 | 105 |
# - two elements, (id, text) |
106 | 106 |
# - a single element, (id,) |
107 |
vars = get_publisher().substitutions.get_context_variables() |
|
107 |
vars = get_publisher().substitutions.get_context_variables(escape=False)
|
|
108 | 108 |
try: |
109 | 109 |
value = eval(data_source.get('value'), vars, data_source_functions) |
110 | 110 |
if not isinstance(value, collections.Iterable): |
... | ... | |
136 | 136 |
get_logger().warn('Empty URL in JSON data source') |
137 | 137 |
return [] |
138 | 138 |
if '[' in url: |
139 |
vars = get_publisher().substitutions.get_context_variables() |
|
139 |
vars = get_publisher().substitutions.get_context_variables(escape=False)
|
|
140 | 140 |
url = get_variadic_url(url, vars) |
141 | 141 |
charset = get_publisher().site_charset |
142 | 142 |
try: |
wcs/fields.py | ||
---|---|---|
257 | 257 |
try: |
258 | 258 |
ret = eval(formula, |
259 | 259 |
get_publisher().get_global_eval_dict(), |
260 |
get_publisher().substitutions.get_context_variables()) |
|
260 |
get_publisher().substitutions.get_context_variables(escape=False))
|
|
261 | 261 |
if ret: |
262 | 262 |
return str(ret) |
263 | 263 |
except: |
... | ... | |
453 | 453 |
label = self.label |
454 | 454 | |
455 | 455 |
import wcs.workflows |
456 |
label = wcs.workflows.template_on_string(label) |
|
456 |
label = wcs.workflows.template_on_string(label, |
|
457 |
process=wcs.workflows.html_process) |
|
457 | 458 | |
458 | 459 |
if '<p' in label: |
459 | 460 |
enclosing_tag = 'div' |
... | ... | |
1178 | 1179 |
return True |
1179 | 1180 | |
1180 | 1181 |
from formdata import get_dict_with_varnames |
1181 |
data = get_publisher().substitutions.get_context_variables() |
|
1182 |
data = get_publisher().substitutions.get_context_variables(escape=False)
|
|
1182 | 1183 | |
1183 | 1184 |
# create variables with values currently being evaluated, not yet |
1184 | 1185 |
# available in the formdata |
wcs/forms/root.py | ||
---|---|---|
438 | 438 |
if self.formdef.is_disabled(): |
439 | 439 |
if self.formdef.disabled_redirection: |
440 | 440 |
return misc.get_variadic_url(self.formdef.disabled_redirection, |
441 |
get_publisher().substitutions.get_context_variables()) |
|
441 |
get_publisher().substitutions.get_context_variables(escape=False))
|
|
442 | 442 |
else: |
443 | 443 |
raise errors.AccessForbiddenError() |
444 | 444 |
return False |
wcs/qommon/admin/texts.py | ||
---|---|---|
45 | 45 |
if text[0] != '<': |
46 | 46 |
text = '<p>%s</p>' % text |
47 | 47 | |
48 |
subst_vars = get_publisher().substitutions.get_context_variables() |
|
48 |
subst_vars = get_publisher().substitutions.get_context_variables(escape=True)
|
|
49 | 49 |
if vars: |
50 | 50 |
subst_vars.update(vars) |
51 | 51 |
wcs/qommon/emails.py | ||
---|---|---|
66 | 66 |
mail_subject_template = ezt.Template(compress_whitespace = False) |
67 | 67 |
mail_subject_template.parse(subject) |
68 | 68 | |
69 |
data = get_publisher().substitutions.get_context_variables() |
|
69 |
data = get_publisher().substitutions.get_context_variables(escape=False)
|
|
70 | 70 |
if mail_body_data: |
71 | 71 |
data.update(mail_body_data) |
72 | 72 |
wcs/qommon/form.py | ||
---|---|---|
1635 | 1635 |
'searching': _('Searching...')}) |
1636 | 1636 | |
1637 | 1637 |
if '[' in self.url: |
1638 |
vars = get_publisher().substitutions.get_context_variables() |
|
1638 |
vars = get_publisher().substitutions.get_context_variables(escape=False)
|
|
1639 | 1639 |
url = misc.get_variadic_url(self.url, vars, encode_query=False) |
1640 | 1640 |
else: |
1641 | 1641 |
url = self.url |
... | ... | |
1734 | 1734 |
get_response().add_css_include('../js/smoothness/jquery-ui-1.10.0.custom.min.css') |
1735 | 1735 | |
1736 | 1736 |
if '[' in self.url: |
1737 |
vars = get_publisher().substitutions.get_context_variables() |
|
1737 |
vars = get_publisher().substitutions.get_context_variables(escape=False)
|
|
1738 | 1738 |
url = misc.get_variadic_url(self.url, vars, encode_query=False) |
1739 | 1739 |
else: |
1740 | 1740 |
url = self.url |
wcs/qommon/ident/idp.py | ||
---|---|---|
137 | 137 | |
138 | 138 |
if not get_request().user or not get_session().name_identifier: |
139 | 139 |
if get_cfg('saml_identities', {}).get('registration-url'): |
140 |
vars = get_publisher().substitutions.get_context_variables() |
|
140 |
vars = get_publisher().substitutions.get_context_variables(escape=False)
|
|
141 | 141 |
vars['next_url'] = get_request().get_frontoffice_url() |
142 | 142 |
registration_url = misc.get_variadic_url( |
143 | 143 |
get_cfg('saml_identities', {}).get('registration-url'), |
wcs/qommon/substitution.py | ||
---|---|---|
14 | 14 |
# You should have received a copy of the GNU General Public License |
15 | 15 |
# along with this program; if not, see <http://www.gnu.org/licenses/>. |
16 | 16 | |
17 |
import cgi |
|
18 | ||
17 | 19 |
from quixote.html import htmltext, TemplateIO |
18 | 20 | |
19 | 21 |
class Substitutions(object): |
... | ... | |
52 | 54 |
return |
53 | 55 |
self.sources.append(source) |
54 | 56 | |
55 |
def get_context_variables(self): |
|
57 |
def get_context_variables(self, escape=True):
|
|
56 | 58 |
d = {} |
57 | 59 |
for source in self.sources: |
58 | 60 |
d.update(source.get_substitution_variables()) |
61 |
if escape: |
|
62 |
for var_key, var_value in d.items(): |
|
63 |
if isinstance(var_value, basestring): |
|
64 |
d[var_key] = cgi.escape(var_value) |
|
65 |
else: |
|
66 |
d[var_key] = var_value |
|
59 | 67 |
return d |
60 | 68 | |
61 | 69 |
def get_substitution_html_table(cls): |
wcs/qommon/template.py | ||
---|---|---|
438 | 438 |
breadcrumb = ' <span class="separator">></span> '.join(s) |
439 | 439 | |
440 | 440 |
vars = response.filter.copy() |
441 |
vars.update(get_publisher().substitutions.get_context_variables()) |
|
441 |
vars.update(get_publisher().substitutions.get_context_variables(escape=True))
|
|
442 | 442 |
vars.update(locals()) |
443 | 443 |
fd = StringIO() |
444 | 444 |
template.generate(fd, vars) |
wcs/wf/jump.py | ||
---|---|---|
194 | 194 |
must_jump = True |
195 | 195 | |
196 | 196 |
if self.condition: |
197 |
variables = get_publisher().substitutions.get_context_variables() |
|
197 |
variables = get_publisher().substitutions.get_context_variables(escape=False)
|
|
198 | 198 |
try: |
199 | 199 |
must_jump = eval(self.condition, get_publisher().get_global_eval_dict(), variables) |
200 | 200 |
except: |
wcs/wf/wscall.py | ||
---|---|---|
59 | 59 |
return |
60 | 60 |
url = self.url |
61 | 61 |
if '[' in url: |
62 |
variables = get_publisher().substitutions.get_context_variables() |
|
62 |
variables = get_publisher().substitutions.get_context_variables(escape=False)
|
|
63 | 63 |
url = get_variadic_url(url, variables) |
64 | 64 | |
65 | 65 |
if self.request_signature_key: |
wcs/workflows.py | ||
---|---|---|
15 | 15 |
# along with this program; if not, see <http://www.gnu.org/licenses/>. |
16 | 16 | |
17 | 17 |
from qommon import ezt |
18 |
import cgi |
|
18 | 19 |
from cStringIO import StringIO |
19 | 20 |
import copy |
20 | 21 |
import xml.etree.ElementTree as ET |
... | ... | |
826 | 827 |
return var |
827 | 828 |
if not var.startswith('='): |
828 | 829 |
return var |
829 |
vars = get_publisher().substitutions.get_context_variables() |
|
830 |
vars = get_publisher().substitutions.get_context_variables(escape=False)
|
|
830 | 831 |
try: |
831 | 832 |
return eval(var[1:], get_publisher().get_global_eval_dict(), vars) |
832 | 833 |
except: |
... | ... | |
1356 | 1357 |
if not '[' in template: |
1357 | 1358 |
return template |
1358 | 1359 |
dict = {} |
1359 |
dict.update(get_publisher().substitutions.get_context_variables()) |
|
1360 |
dict.update(get_publisher().substitutions.get_context_variables(escape=False))
|
|
1360 | 1361 |
if formdata: |
1361 | 1362 |
dict['url'] = formdata.get_url() |
1362 | 1363 |
dict['url_status'] = '%sstatus' % formdata.get_url() |
... | ... | |
1462 | 1463 |
tmpl.parse(self.message) |
1463 | 1464 | |
1464 | 1465 |
dict = {} |
1465 |
dict.update(get_publisher().substitutions.get_context_variables()) |
|
1466 |
dict.update(get_publisher().substitutions.get_context_variables(escape=True))
|
|
1466 | 1467 |
dict['date'] = misc.localstrftime(filled.receipt_time) |
1467 | 1468 |
dict['number'] = filled.id |
1468 | 1469 |
handling_role = filled.get_handling_role() |
... | ... | |
1590 | 1591 |
return None |
1591 | 1592 |
return str2rtf(unicode(str(value), get_publisher().site_charset)) |
1592 | 1593 | |
1594 |
def html_process(value): |
|
1595 |
if not isinstance(value, basestring): |
|
1596 |
return value |
|
1597 |
return cgi.escape(value) |
|
1598 | ||
1593 | 1599 |
class ExportToModel(WorkflowStatusItem): |
1594 | 1600 |
description = N_('Create Document') |
1595 | 1601 |
key = 'export_to_model' |
1596 |
- |