From: Jens W. K. <svn...@pl...> - 2013-10-30 16:53:31
|
Author: jensens Date: Wed Oct 30 16:53:22 2013 New Revision: 252667 Modified: cornerstone.browser/trunk/setup.py cornerstone.browser/trunk/src/cornerstone/browser/form.py Log: some xss protection Modified: cornerstone.browser/trunk/setup.py ============================================================================== --- cornerstone.browser/trunk/setup.py (original) +++ cornerstone.browser/trunk/setup.py Wed Oct 30 16:53:22 2013 @@ -9,7 +9,7 @@ from setuptools import setup, find_packages import sys, os -version = '1.3.2' +version = '1.3.3' shortdesc = "Common browser utils for ZOPE" longdesc = open(os.path.join(os.path.dirname(__file__), 'README.txt')).read() @@ -50,4 +50,4 @@ }, entry_points=""" """, - ) \ No newline at end of file + ) Modified: cornerstone.browser/trunk/src/cornerstone/browser/form.py ============================================================================== --- cornerstone.browser/trunk/src/cornerstone/browser/form.py (original) +++ cornerstone.browser/trunk/src/cornerstone/browser/form.py Wed Oct 30 16:53:22 2013 @@ -2,6 +2,7 @@ from ZPublisher.HTTPRequest import FileUpload from base import XBrowserView from tmpl import HTMLRendererMixin +from cgi import escape class FormRenderer(XBrowserView, HTMLRendererMixin): """An abstract form renderer and processor for repoze.formapi. @@ -32,7 +33,7 @@ payload = self._tag('input', type='text', name=name, - value=value) + value=escape(value)) return self.wraperror(name, payload) def selectioninput(self, name, vocab, multiple=None): @@ -53,7 +54,7 @@ cbkw = { 'type': 'checkbox', 'name': name, - 'value': value, + 'value': escape(value), } if not isinstance(fod, list): fod = [fod] @@ -69,7 +70,7 @@ cbkw = { 'type': 'radio', 'name': name, - 'value': value, + 'value': escape(value), } if default == value: cbkw['checked'] = 'checked' @@ -81,7 +82,7 @@ if not value: value = '' payload = self._tag('textarea', - value, + escape(value), name=name, **kw) return self.wraperror(name, payload) @@ -99,7 +100,7 @@ return self.wraperror(name, payload) def hiddeninput(self, name, value): - return self._tag('input', type='hidden', name=name, value=value) + return self._tag('input', type='hidden', name=name, value=escape(value)) def displayinput(self, name): value = self.formvalueordefault(name) @@ -107,7 +108,7 @@ return u'' return self._tag('span', self._tag('span', value), - self.hiddeninput(name, value), + self.hiddeninput(name, escape(value)), class_='displayinput') def renderedaction(self, name, multisubmit=False): @@ -171,4 +172,4 @@ setattr(self.form, '_context', self.context) if self.form.validate(): self.form() - self.succeed = True \ No newline at end of file + self.succeed = True |