[Zope-Checkins] SVN: Zope/branches/2.9/ ZTUtils.make_hidden_input did not escape double-quotes.

[Stefan H. Holek]

Log message for revision 69796:
  ZTUtils.make_hidden_input did not escape double-quotes.
  Fixes http://www.zope.org/Collectors/Zope/2175
  

Changed:
  U   Zope/branches/2.9/doc/CHANGES.txt
  U   Zope/branches/2.9/lib/python/ZTUtils/Zope.py
  U   Zope/branches/2.9/lib/python/ZTUtils/tests/testZope.py

-=-
Modified: Zope/branches/2.9/doc/CHANGES.txt
===================================================================
--- Zope/branches/2.9/doc/CHANGES.txt	2006-08-27 13:50:58 UTC (rev 69795)
+++ Zope/branches/2.9/doc/CHANGES.txt	2006-08-27 14:14:52 UTC (rev 69796)
@@ -8,6 +8,8 @@
 
    Bugs fixed
 
+      - Collector #2175: ZTUtils.make_hidden_input did not escape double-quotes.
+
       - Collector #1907: Moved 'alt' property from File to Image.
 
       - Collector #1983: Specifying session-resolution-seconds >= 1200 caused

Modified: Zope/branches/2.9/lib/python/ZTUtils/Zope.py
===================================================================
--- Zope/branches/2.9/lib/python/ZTUtils/Zope.py	2006-08-27 13:50:58 UTC (rev 69795)
+++ Zope/branches/2.9/lib/python/ZTUtils/Zope.py	2006-08-27 14:14:52 UTC (rev 69796)
@@ -200,7 +200,7 @@
         d.update(arg)
     d.update(kwargs)
 
-    hq = cgi.escape
+    hq = lambda x:cgi.escape(x, quote=True)
     qlist = complex_marshal(d.items())
     for i in range(len(qlist)):
         k, m, v = qlist[i]

Modified: Zope/branches/2.9/lib/python/ZTUtils/tests/testZope.py
===================================================================
--- Zope/branches/2.9/lib/python/ZTUtils/tests/testZope.py	2006-08-27 13:50:58 UTC (rev 69795)
+++ Zope/branches/2.9/lib/python/ZTUtils/tests/testZope.py	2006-08-27 14:14:52 UTC (rev 69796)
@@ -5,6 +5,7 @@
 import string
 import urllib
 from ZTUtils.Zope import make_query, complex_marshal
+from ZTUtils.Zope import make_hidden_input
 from DateTime import DateTime
 
 class QueryTests(TestCase):
@@ -50,6 +51,18 @@
                            record=record, string=str_)
         assert query == 'date:date=%s&integer:int=1&listing:int:list=1&listing:date:list=%s&listing:list=str&string=str&record.arg1:int:list:record=1&record.arg1:date:list:record=%s&record.arg1:list:record=str&record.arg2:int:record=1'%(quote_date,quote_date,quote_date)
 
+    def testMakeHiddenInput(self):
+        tag = make_hidden_input(foo='bar')
+        self.assertEqual(tag, '<input type="hidden" name="foo" value="bar">')
+        tag = make_hidden_input(foo=1)
+        self.assertEqual(tag, '<input type="hidden" name="foo:int" value="1">')
+        # Escaping
+        tag = make_hidden_input(foo='bar & baz')
+        self.assertEqual(tag, '<input type="hidden" name="foo" value="bar &amp; baz">')
+        tag = make_hidden_input(foo='<bar>')
+        self.assertEqual(tag, '<input type="hidden" name="foo" value="&lt;bar&gt;">')
+        tag = make_hidden_input(foo='"bar"')
+        self.assertEqual(tag, '<input type="hidden" name="foo" value="&quot;bar&quot;">')
 
 def test_suite():
     return makeSuite(QueryTests)