[Collective-checkins] r252667 - in cornerstone.browser/trunk: . src/cornerstone/browser

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Author: jensens
Date: Wed Oct 30 16:53:22 2013
New Revision: 252667

Modified:
   cornerstone.browser/trunk/setup.py
   cornerstone.browser/trunk/src/cornerstone/browser/form.py
Log:
some xss protection

Modified: cornerstone.browser/trunk/setup.py
==============================================================================

--- cornerstone.browser/trunk/setup.py	(original)
+++ cornerstone.browser/trunk/setup.py	Wed Oct 30 16:53:22 2013
@@ -9,7 +9,7 @@
 from setuptools import setup, find_packages
 import sys, os
 
-version = '1.3.2'
+version = '1.3.3'
 shortdesc = "Common browser utils for ZOPE"
 longdesc = open(os.path.join(os.path.dirname(__file__), 'README.txt')).read()
 
@@ -50,4 +50,4 @@
       },      
       entry_points="""
       """,
-      )
\ No newline at end of file
+      )

Modified: cornerstone.browser/trunk/src/cornerstone/browser/form.py
==============================================================================
--- cornerstone.browser/trunk/src/cornerstone/browser/form.py	(original)
+++ cornerstone.browser/trunk/src/cornerstone/browser/form.py	Wed Oct 30 16:53:22 2013
@@ -2,6 +2,7 @@
 from ZPublisher.HTTPRequest import FileUpload
 from base import XBrowserView
 from tmpl import HTMLRendererMixin
+from cgi import escape
 
 class FormRenderer(XBrowserView, HTMLRendererMixin):
     """An abstract form renderer and processor for repoze.formapi.
@@ -32,7 +33,7 @@
         payload = self._tag('input',
                             type='text',
                             name=name,
-                            value=value)
+                            value=escape(value))
         return self.wraperror(name, payload)
     
     def selectioninput(self, name, vocab, multiple=None):
@@ -53,7 +54,7 @@
         cbkw = {
             'type': 'checkbox',
             'name': name,
-            'value': value,
+            'value': escape(value),
         }
         if not isinstance(fod, list):
             fod = [fod]
@@ -69,7 +70,7 @@
         cbkw = {
             'type': 'radio',
             'name': name,
-            'value': value,
+            'value': escape(value),
         }
         if default == value:
             cbkw['checked'] = 'checked'
@@ -81,7 +82,7 @@
         if not value:
             value = ''
         payload = self._tag('textarea',
-                            value,
+                            escape(value),
                             name=name,
                             **kw)
         return self.wraperror(name, payload)
@@ -99,7 +100,7 @@
         return self.wraperror(name, payload)
     
     def hiddeninput(self, name, value):
-        return self._tag('input', type='hidden', name=name, value=value)
+        return self._tag('input', type='hidden', name=name, value=escape(value))
     
     def displayinput(self, name):
         value = self.formvalueordefault(name)
@@ -107,7 +108,7 @@
             return u''
         return self._tag('span',
                          self._tag('span', value),
-                         self.hiddeninput(name, value),
+                         self.hiddeninput(name, escape(value)),
                          class_='displayinput')
     
     def renderedaction(self, name, multisubmit=False):
@@ -171,4 +172,4 @@
             setattr(self.form, '_context', self.context)
             if self.form.validate():
                 self.form()
-                self.succeed = True
\ No newline at end of file
+                self.succeed = True


