Ticket #2580: rss_html_escape.diff
| File rss_html_escape.diff, 15.9 KB (added by cboos, 3 years ago) |
|---|
-
trac/db_default.py
1 1 # -*- coding: utf-8 -*- 2 2 # 3 # Copyright (C) 2003-200 5Edgewall Software3 # Copyright (C) 2003-2006 Edgewall Software 4 4 # Copyright (C) 2003-2005 Daniel Lundin <daniel@edgewall.com> 5 # Copyright (C) 2005-2006 Christian Boos <cboos@neuf.fr> 5 6 # All rights reserved. 6 7 # 7 8 # This software is licensed as described in the file COPYING, which … … 394 395 ('trac', 'metanav', 'login,logout,settings,help,about'), 395 396 ('trac', 'mainnav', 'wiki,timeline,roadmap,browser,tickets,newticket,search'), 396 397 ('trac', 'permission_store', 'DefaultPermissionStore'), 398 ('trac', 'rss_escape_html', 'false'), 397 399 ('logging', 'log_type', 'none'), 398 400 ('logging', 'log_file', 'trac.log'), 399 401 ('logging', 'log_level', 'DEBUG'), -
trac/ticket/web_ui.py
240 240 yield ('ticket_details', 'Ticket details', False) 241 241 242 242 def get_timeline_events(self, req, start, stop, filters): 243 rss = req.args.get('format') == 'rss' # Kludge243 format = req.args.get('format') 244 244 245 245 status_map = {'new': ('newticket', 'created'), 246 246 'reopened': ('newticket', 'reopened'), … … 268 268 kind, verb = status_map[status] 269 269 title = util.Markup('Ticket <em title="%s">#%s</em> (%s) %s by %s', 270 270 summary, id, type, verb, author) 271 href = rss and self.env.abs_href.ticket(id)\272 orself.env.href.ticket(id)271 href = format == 'rss' and self.env.abs_href.ticket(id) or \ 272 self.env.href.ticket(id) 273 273 274 274 if status == 'new': 275 message = util.escape(summary)275 message = summary 276 276 else: 277 277 message = util.Markup(info) 278 278 if comment: 279 if rss:279 if format == 'rss': 280 280 message += wiki_to_html(comment, self.env, req, db, 281 281 absurls=True) 282 282 else: -
trac/ticket/report.py
1 1 # -*- coding: iso-8859-1 -*- 2 2 # 3 # Copyright (C) 2003-200 5Edgewall Software3 # Copyright (C) 2003-2006 Edgewall Software 4 4 # Copyright (C) 2003-2004 Jonas Borgstr�jonas@edgewall.com> 5 # Copyright (C) 2006 Christian Boos <cboos@neuf.fr> 5 6 # All rights reserved. 6 7 # 7 8 # This software is licensed as described in the file COPYING, which … … 254 255 255 256 title, description, sql = self.get_info(db, id, args) 256 257 257 if req.args.get('format') == 'sql': 258 format = req.args.get('format') 259 if format == 'sql': 258 260 self._render_sql(req, id, title, description, sql) 259 261 return 260 262 … … 344 346 id_val = row[id_cols[0]] 345 347 value['ticket_href'] = self.env.href.ticket(id_val) 346 348 elif column == 'description': 347 value['parsed'] = wiki_to_html(cell, self.env, req, db) 349 descr = wiki_to_html(cell, self.env, req, db, 350 absurls=(format == 'rss')) 351 if format == 'rss': 352 descr = util.rss_escape_html(descr, self.config) 353 value['parsed'] = descr 348 354 elif column == 'reporter' and cell.find('@') != -1: 349 355 value['rss'] = cell 350 356 elif column == 'report': … … 363 369 row_idx += 1 364 370 req.hdf['report.numrows'] = row_idx 365 371 366 format = req.args.get('format')367 372 if format == 'rss': 368 self._render_rss(req)369 373 return 'report_rss.cs', 'application/rss+xml' 370 374 elif format == 'csv': 371 375 self._render_csv(req, cols, rows) … … 480 484 .replace('\r',' ') 481 485 req.write(sep.join(map(sanitize, row)) + '\r\n') 482 486 483 def _render_rss(self, req):484 # Escape HTML in the ticket summaries485 item = req.hdf.getObj('report.items')486 if item:487 item = item.child()488 while item:489 for col in ('summary', 'description.parsed'):490 nodename = 'report.items.%s.%s' % (item.name(), col)491 value = req.hdf.get(nodename, '')492 req.hdf[nodename] = value493 item = item.next()494 495 487 def _render_sql(self, req, id, title, description, sql): 496 488 req.perm.assert_permission('REPORT_SQL_VIEW') 497 489 req.send_response(200) -
trac/ticket/roadmap.py
316 316 title = Markup('Milestone <em>%s</em> completed', name) 317 317 if format == 'rss': 318 318 href = self.env.abs_href.milestone(name) 319 message = wiki_to_html(description or '--', self.env,320 req, db,absurls=True)319 message = wiki_to_html(description, self.env, db, 320 absurls=True) 321 321 else: 322 322 href = self.env.href.milestone(name) 323 323 message = wiki_to_oneliner(description, self.env, db, 324 324 shorten=True) 325 yield 'milestone', href, title, completed, None, message 325 yield 'milestone', href, title, completed, None, message or '--' 326 326 327 327 # IRequestHandler methods 328 328 -
trac/ticket/query.py
1 1 # -*- coding: iso-8859-1 -*- 2 2 # 3 # Copyright (C) 2004-200 5Edgewall Software3 # Copyright (C) 2004-2006 Edgewall Software 4 4 # Copyright (C) 2004-2005 Christopher Lenz <cmlenz@gmx.de> 5 # Copyright (C) 2005-2006 Christian Boos <cboos@neuf.fr> 5 6 # All rights reserved. 6 7 # 7 8 # This software is licensed as described in the file COPYING, which … … 21 22 from trac.perm import IPermissionRequestor 22 23 from trac.ticket import Ticket, TicketSystem 23 24 from trac.util import escape, unescape, format_datetime, http_date, \ 24 shorten_line, CRLF, Markup 25 shorten_line, CRLF, Markup, rss_escape_html 25 26 from trac.web import IRequestHandler 26 27 from trac.web.chrome import add_link, add_stylesheet, INavigationContributor 27 28 from trac.wiki import wiki_to_html, wiki_to_oneliner, IWikiMacroProvider, \ … … 590 591 result['href'] = self.env.abs_href.ticket(result['id']) 591 592 if result['reporter'].find('@') == -1: 592 593 result['reporter'] = '' 593 if result['description']:594 # str() cancels out the Markup() returned by wiki_to_html595 result['description'] = str(wiki_to_html(result['description'] or '',596 self.env, req, db,597 absurls=1))598 594 if result['time']: 599 595 result['time'] = http_date(result['time']) 596 if result['description']: 597 result['description'] = rss_escape_html(result['description'], 598 self.config) 600 599 req.hdf['query.results'] = results 601 600 req.hdf['query.href'] = self.env.abs_href.query(group=query.group, 602 601 groupdesc=query.groupdesc and 1 or None, -
trac/versioncontrol/web_ui/util.py
1 1 # -*- coding: iso-8859-1 -*- 2 2 # 3 # Copyright (C) 2003-200 5Edgewall Software3 # Copyright (C) 2003-2006 Edgewall Software 4 4 # Copyright (C) 2003-2005 Jonas Borgstr�jonas@edgewall.com> 5 # Copyright (C) 2005-2006 Christian Boos <cboos@neuf.fr> 5 6 # All rights reserved. 6 7 # 7 8 # This software is licensed as described in the file COPYING, which … … 13 14 # history and logs, available at http://projects.edgewall.com/trac/. 14 15 # 15 16 # Author: Jonas Borgstr�jonas@edgewall.com> 17 # Christian Boos <cboos@neuf.fr> 16 18 17 19 import re 18 20 import urllib 19 21 20 22 from trac.util import escape, format_datetime, pretty_timedelta, shorten_line, \ 21 TracError, Markup 23 TracError, Markup, rss_escape_html 22 24 from trac.wiki import wiki_to_html, wiki_to_oneliner 23 25 24 26 __all__ = ['get_changes', 'get_path_links', 'get_path_rev_line', … … 30 32 for rev in revs: 31 33 changeset = repos.get_changeset(rev) 32 34 message = changeset.message or '--' 33 files = None35 shortlog = wiki_to_oneliner(message, env, db, shorten=True) 34 36 if format == 'changelog': 35 37 files = [change[0] for change in changeset.get_changes()] 36 elif message: 37 if not full: 38 message = wiki_to_oneliner(message, env, db, 39 shorten=True) 40 else: 41 message = wiki_to_html(message, env, req, db, 42 absurls=(format == 'rss'), 43 escape_newlines=True) 44 if not message: 45 message = '--' 38 else: 39 files = None 40 message = full and wiki_to_html(message, env, req, db, 41 absurls=(format == 'rss'), 42 escape_newlines=True) or shortlog 43 if format == 'rss': 44 shortlog = rss_escape_html(shortlog) 45 message = rss_escape_html(message, env.config) 46 46 changes[rev] = { 47 47 'date_seconds': changeset.date, 48 48 'date': format_datetime(changeset.date), 49 49 'age': pretty_timedelta(changeset.date), 50 50 'author': changeset.author or 'anonymous', 51 51 'message': message, 52 'shortlog': short en_line(message),52 'shortlog': shortlog, 53 53 'files': files 54 54 } 55 55 return changes -
trac/versioncontrol/web_ui/changeset.py
1 1 # -*- coding: iso-8859-1 -*- 2 2 # 3 # Copyright (C) 2003-200 5Edgewall Software3 # Copyright (C) 2003-2006 Edgewall Software 4 4 # Copyright (C) 2003-2005 Jonas Borgstr�jonas@edgewall.com> 5 5 # Copyright (C) 2004-2005 Christopher Lenz <cmlenz@gmx.de> 6 # Copyright (C) 2005-2006 Christian Boos <cboos@neuf.fr> 6 7 # All rights reserved. 7 8 # 8 9 # This software is licensed as described in the file COPYING, which … … 114 115 for chgset in repos.get_changesets(start, stop): 115 116 message = chgset.message or '--' 116 117 if format == 'rss': 117 title = util.Markup('Changeset <em>[%s]</em>: %s',118 118 title = 'Changeset [%s]: %s' % \ 119 (chgset.rev, util.shorten_line(message)) 119 120 href = self.env.abs_href.changeset(chgset.rev) 120 121 message = wiki_to_html(message, self.env, req, db, 121 122 absurls=True) … … 129 130 files = [] 130 131 for chg in chgset.get_changes(): 131 132 if show_files > 0 and len(files) >= show_files: 132 files.append(' ...')133 files.append('…') # … 133 134 break 134 files.append('<span class="%s">%s</span>' 135 %(chg[2], util.escape(chg[0])))136 message = '<span class="changes">' + ', '.join(files) +\137 '</span>: ' + message135 files.append('<span class="%s">%s</span>' % 136 (chg[2], util.escape(chg[0]))) 137 message = util.Markup('<span class="changes">%s</span>: %s', 138 ', '.join(files), message) 138 139 yield 'changeset', href, title, chgset.date, chgset.author,\ 139 util.Markup(message)140 message 140 141 141 142 # Internal methods 142 143 -
trac/versioncontrol/web_ui/log.py
1 1 # -*- coding: iso-8859-1 -*- 2 2 # 3 # Copyright (C) 2003-200 5Edgewall Software3 # Copyright (C) 2003-2006 Edgewall Software 4 4 # Copyright (C) 2003-2005 Jonas Borgstr�jonas@edgewall.com> 5 # Copyright (C) 2005-2006 Christian Boos <cboos@neuf.fr> 5 6 # All rights reserved. 6 7 # 7 8 # This software is licensed as described in the file COPYING, which … … 157 158 if email: 158 159 email_map[username] = email 159 160 for cs in changes.values(): 160 cs['shortlog'] = cs['shortlog'].replace('\n', ' ')161 161 # For RSS, author must be an email address 162 162 author = cs['author'] 163 163 author_email = '' -
trac/Timeline.py
1 1 # -*- coding: iso-8859-1 -*- 2 2 # 3 # Copyright (C) 2003-200 5Edgewall Software3 # Copyright (C) 2003-2006 Edgewall Software 4 4 # Copyright (C) 2003-2005 Jonas Borgstr�jonas@edgewall.com> 5 5 # Copyright (C) 2004-2005 Christopher Lenz <cmlenz@gmx.de> 6 # Copyright (C) 2005-2006 Christian Boos <cboos@neuf.fr> 6 7 # All rights reserved. 7 8 # 8 9 # This software is licensed as described in the file COPYING, which … … 21 22 22 23 from trac.core import * 23 24 from trac.perm import IPermissionRequestor 24 from trac.util import format_date, format_time, http_date, Markup 25 from trac.util import format_date, format_time, http_date, Markup, \ 26 rss_escape_html 25 27 from trac.web import IRequestHandler 26 28 from trac.web.chrome import add_link, add_stylesheet, INavigationContributor 27 29 … … 158 160 159 161 if format == 'rss': 160 162 # Strip/escape HTML markup 161 if isinstance(title, Markup): 162 event['title'] = title.striptags() 163 else: 164 event['title'] = title 163 event['title'] = rss_escape_html(title) 164 event['message'] = rss_escape_html(message, self.config) 165 165 166 166 if author: 167 167 # For RSS, author must be an email address -
trac/util.py
246 246 return text 247 247 return text.unescape() 248 248 249 ENTITIES = re.compile(r"&(?:\w+|#\d+);") 250 def rss_escape_html(text, config=None): 251 if isinstance(text, Markup) and \ 252 not (config and config.getbool('trac', 'rss_escape_html')): 253 return re.sub(ENTITIES, '', text.striptags()) 254 else: 255 return str(text) 256 257 249 258 def to_utf8(text, charset='iso-8859-15'): 250 259 """Convert a string to UTF-8, assuming the encoding is either UTF-8, ISO 251 260 Latin-1, or as specified by the optional `charset` parameter."""
