[Zope3-checkins] SVN: Zope3/trunk/src/zope/app/form/browser/ Make
sure that the content for 'option' tags in selection boxes are also
Stephan Richter
srichter at cosmos.phy.tufts.edu
Wed Jul 7 18:36:03 EDT 2004
Log message for revision 26193:
Make sure that the content for 'option' tags in selection boxes are also
HTML escaped.
Fixes 225.
-=-
Modified: Zope3/trunk/src/zope/app/form/browser/itemswidgets.py
===================================================================
--- Zope3/trunk/src/zope/app/form/browser/itemswidgets.py 2004-07-07 21:44:16 UTC (rev 26192)
+++ Zope3/trunk/src/zope/app/form/browser/itemswidgets.py 2004-07-07 22:36:03 UTC (rev 26193)
@@ -15,6 +15,7 @@
$Id$
"""
+from xml.sax.saxutils import escape
from zope.interface import implements
from zope.i18n import translate
from zope.proxy import removeAllProxies
@@ -269,9 +270,10 @@
tag = self.itemTag
for item in value:
term = self.vocabulary.getTerm(item)
- items.append(renderElement(tag,
- cssClass=cssClass,
- contents=self.textForValue(term)))
+ items.append(renderElement(
+ tag,
+ cssClass=cssClass,
+ contents=escape(self.textForValue(term))))
return items
class ListDisplayWidget(ItemsMultiDisplayWidget):
@@ -405,14 +407,14 @@
def renderItem(self, index, text, value, name, cssClass):
"""Render an item for a particular value."""
return renderElement('option',
- contents=text,
+ contents=escape(text),
value=value,
cssClass=cssClass)
def renderSelectedItem(self, index, text, value, name, cssClass):
"""Render an item for a particular value that is selected."""
return renderElement('option',
- contents=text,
+ contents=escape(text),
value=value,
cssClass=cssClass,
selected='selected')
Modified: Zope3/trunk/src/zope/app/form/browser/tests/test_selectwidget.py
===================================================================
--- Zope3/trunk/src/zope/app/form/browser/tests/test_selectwidget.py 2004-07-07 21:44:16 UTC (rev 26192)
+++ Zope3/trunk/src/zope/app/form/browser/tests/test_selectwidget.py 2004-07-07 22:36:03 UTC (rev 26193)
@@ -19,6 +19,7 @@
from zope.schema import Choice, List
from zope.app.form.browser import SelectWidget
+from zope.publisher.browser import TestRequest
choice = Choice(
title=u"Number",
@@ -35,13 +36,43 @@
def _makeWidget(self, form):
request = TestRequest(form=form)
- return SelectWidget(sequence, request)
+ return SelectWidget(sequence, choice.vocabulary, request)
+select_html = '''<div id="field.terms">
+<div class="value">
+<select name="field.terms" size="5" >
+<option value="< foo">< foo</option>
+<option value="bar/>">bar/></option>
+<option value="&blah&">&blah&</option>
+</select>
+</div>
+</div>'''
+class SelectWidgetHTMLEncodingTest(unittest.TestCase):
+
+ def testOptionEncoding(self):
+ choice = Choice(
+ title=u"Number",
+ description=u"The Number",
+ values=['< foo', 'bar/>', '&blah&'])
+ sequence = List(
+ __name__="terms",
+ title=u"Numbers",
+ description=u"The Numbers",
+ value_type=choice)
+
+ request = TestRequest()
+ sequence = sequence.bind(object())
+ widget = SelectWidget(sequence, choice.vocabulary, request)
+ self.assertEqual(widget(), select_html)
+
def test_suite():
- return unittest.makeSuite(SelectWidgetTest)
+ return unittest.TestSuite((
+ unittest.makeSuite(SelectWidgetTest),
+ unittest.makeSuite(SelectWidgetHTMLEncodingTest)
+ ))
if __name__ == '__main__':
unittest.main(defaultTest="test_suite")
More information about the Zope3-Checkins
mailing list