Commit 01858b89 authored by Laurent Bachelier's avatar Laurent Bachelier

Escape HTML entities in URLs

parent d202f185
......@@ -57,7 +57,7 @@ event_classes = {
<strong>declined</strong>.
% endif
</p>
<form method="post" action="${url | n,U }">
<form method="post" action="${url | n,U,h}">
% if user_state != event.USER_CONFIRMED:
<input name="action" type="submit" value="Confirm"/>
% endif
......@@ -69,7 +69,7 @@ event_classes = {
</section>
<section>
<a href="${url.setvar(view='raw') | n,U}">Download as text</a>
<a href="${url.setvar(view='raw') | n,U,h}">Download as text</a>
</section>
</article>
......
......@@ -9,15 +9,15 @@
% endif
<title>${self.title(html=False)}</title>
% for stylesheet in stylesheets:
<link rel="stylesheet" type="text/css" href="${root_url.setvar(action='asset', file=stylesheet) | n,U}" />
<link rel="stylesheet" type="text/css" href="${root_url.setvar(action='asset', file=stylesheet) | n,U,h}" />
% endfor
% for script in scripts:
<script src="${root_url.setvar(action='asset', file=script) | n,U}"></script>
<script src="${root_url.setvar(action='asset', file=script) | n,U,h}"></script>
% endfor
% if path:
<link rel="up" href="../" />
% endif
<link rel="top" href="${root_url | n,U}" />
<link rel="top" href="${root_url | n,U,h}" />
</head>
<body>
<header>${self.header()}</header>
......@@ -33,9 +33,9 @@
%>
% for available_view, view_url in view_links:
% if available_view == view:
<link rel="canonical" href="${view_url | n,U}" />
<link rel="canonical" href="${view_url | n,U,h}" />
% else:
<link rel="alternate" title="Alternate view ${available_view | h}" href="${view_url | n,U}" />
<link rel="alternate" title="Alternate view ${available_view | h}" href="${view_url | n,U,h}" />
% endif
% endfor
</%def>
......
......@@ -10,7 +10,7 @@
<section>
% for photo in photos:
<a href="${URL(photo.get_name()) | n,U}"><img src="${URL(photo.get_name()).setvars(view='thumbnail', thumb_size=200) | n,U}" /></a>
<a href="${URL(photo.get_name()) | n,U,h}"><img src="${URL(photo.get_name()).setvars(view='thumbnail', thumb_size=200) | n,U}" /></a>
% endfor
<table summary="Directory listing" class="list">
......@@ -27,7 +27,7 @@
% endif
% for dir in dirs:
<tr class="dir">
<td class="filename" data-sortname="${'/'+dir.get_name() | h}"><a href="${URL(dir.get_name()+'/') | n,U}">${dir.get_name() | h}</a>/</td>
<td class="filename" data-sortname="${'/'+dir.get_name() | h}"><a href="${URL(dir.get_name()+'/') | n,U,h}">${dir.get_name() | h}</a>/</td>
</tr>
% endfor
</tbody>
......
......@@ -20,7 +20,7 @@
% endif
% for dir in dirs:
<tr class="dir">
<td class="filename" data-sortname="${'/'+dir.get_name() | h}"><a href="${URL(dir.get_name()+'/') | n,U}">${dir.get_name() | h}</a>/</td>
<td class="filename" data-sortname="${'/'+dir.get_name() | h}"><a href="${URL(dir.get_name()+'/') | n,U,h}">${dir.get_name() | h}</a>/</td>
<td class="lastmod">
<time datetime="${dir.get_mtime().strftime('%Y-%m-%dT%H:%M') | h}">${dir.get_mtime().strftime('%Y-%m-%d %H:%M:%S') | h}</time>
</td>
......@@ -29,7 +29,7 @@
% endfor
% for file in files:
<tr class="file">
<td class="filename" data-sortname="${file.get_name() | h}"><a href="${URL(file.get_name()) | n,U}">${file.get_name() | h}</a></td>
<td class="filename" data-sortname="${file.get_name() | h}"><a href="${URL(file.get_name()) | n,U,h}">${file.get_name() | h}</a></td>
<td class="lastmod">
<time datetime="${file.get_mtime().strftime('%Y-%m-%dT%H:%M') | h}">${file.get_mtime().strftime('%Y-%m-%d %H:%M:%S') | h}</time>
</td>
......
......@@ -11,7 +11,7 @@
</section>
<section>
<form method="post" action="${url | n,U }">
<form method="post" action="${url | n,U,h}">
<label>Username</label><input name="username" />
<label>Password</label><input name="password" type="password" />
<input type="submit" value="Login"/>
......
......@@ -6,9 +6,9 @@ view_links = [(available_view, url.setvar(view=available_view.name)) \
<menu id="available_views">
% for available_view, view_url in view_links:
% if available_view.name == view:
<li class="selected"><a href="${view_url | n,U}">${available_view.verbose_name | h}</a></li>
<li class="selected"><a href="${view_url | n,U,h}">${available_view.verbose_name | h}</a></li>
% else:
<li><a href="${view_url | n,U}">${available_view.verbose_name | h}</a></li>
<li><a href="${view_url | n,U,h}">${available_view.verbose_name | h}</a></li>
% endif
% endfor
</menu>
......@@ -17,9 +17,9 @@ view_links = [(available_view, url.setvar(view=available_view.name)) \
<%def name="loginbox()">
% if user:
Logged as ${display_user(user)}
<a href="${root_url.setvar(action='logout') | n,U}">Logout</a>
<a href="${root_url.setvar(action='logout') | n,U,h}">Logout</a>
% else:
<a href="${root_url.setvar(action='login') | n,U}">Login</a>
<a href="${root_url.setvar(action='login') | n,U,h}">Login</a>
% endif
</%def>
......@@ -62,7 +62,7 @@ parturl = root_url
chr = ':/'
%>\
% endif
<a class="${' '.join(classes)}" href="${parturl | n,U}">${pathpart | h}</a>${chr}\
<a class="${' '.join(classes)}" href="${parturl | n,U,h}">${pathpart | h}</a>${chr}\
% endfor
</nav>
</%def>
......@@ -42,7 +42,7 @@ class AssetsTest(TestCase):
def test_stylesheets(self):
res = self.app.get('/', status=200)
assert '<link rel="stylesheet" type="text/css" href="/?action=asset&file=main.css" />' in res.body
assert '<link rel="stylesheet" type="text/css" href="/?action=asset&amp;file=main.css" />' in res.body
res = self.app.get('/test_data/?view=gallery', status=200)
assert '<link rel="stylesheet" type="text/css" href="/?action=asset&file=main.css" />' in res.body
assert '<link rel="stylesheet" type="text/css" href="/?action=asset&amp;file=main.css" />' in res.body
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment