- Always unescape element contents on webdav.xmltools

      - Use saxutils to escape/unescape values for/from
        PROPFIND/PROPPATCH.

      - Make OFS.PropertySheet use the escaping function from
        webdav.xmltools.

      - Escape/unescape " and '

      - Set a default value of '' for the new 'alt' property as not to
        break existing content.

doc/CHANGES.txt

@@ -38,12 +38,25 @@ Zope Changes
         'alt' property.  The border="0" attribute is no longer part of the HTML
         output except specified otherwise.
 
+      - Set a default value of '' for the new 'alt' property as not to
+        break existing content.
+
       - Collector #1511: made IPCServer show up in the Control Panel under
         "Network Services"
 
       - Collector #1443: Applied patch by Simon Eisenmann that reimplements
         the XML parser used in WebDAV fixing a memory leak.
 
+      - Always unescape element contents on webdav.xmltools
+
+      - Use saxutils to escape/unescape values for/from
+        PROPFIND/PROPPATCH.
+
+      - Make OFS.PropertySheet use the escaping function from
+        webdav.xmltools.
+
+      - Escape/unescape " and '
+
   Zope 2.8a1
 
 

lib/python/OFS/Image.py

@@ -76,6 +76,7 @@ class File(Persistent, Implicit, PropertyManager,
 
     precondition=''
     size=None
+    alt=''
 
     manage_editForm  =DTMLFile('dtml/fileEdit',globals(),
                                Kind='File',kind='file')

lib/python/OFS/PropertySheets.py

@@ -807,15 +807,12 @@ def absattr(attr):
         return attr()
     return attr
 
-
-def xml_escape(v):
-    """ convert any content from ISO-8859-1 to UTF-8
-    The main use is to escape non-US object property values
-    (e.g. containing accented characters). Also we convert "<" and ">"
-    to entities to keep the properties XML compliant.
-    """
-    v = str(v)
-    v = v.replace('&', '&amp;')
-    v = v.replace('<', '&lt;')
-    v = v.replace('>', '&gt;')
-    return  unicode(v,"latin-1").encode("utf-8")
+def xml_escape(value):
+    from webdav.xmltools import escape
+    if not isinstance(value, basestring):
+        value = unicode(value)
+    if not isinstance(value, unicode):
+        # XXX It really shouldn't be hardcoded to latin-1 here.
+        value = value.decode('latin-1')
+    value = escape(value)
+    return value.encode('utf-8')

lib/python/webdav/xmltools.py

@@ -10,13 +10,10 @@
 # FOR A PARTICULAR PURPOSE
 #
 ##############################################################################
-
-
 """
 WebDAV XML request parsing tool using xml.minidom as xml parser.
 Code contributed by Simon Eisenmann, struktur AG, Stuttgart, Germany
 """
-
 __version__='$Revision: 1.15.2.1 $'[11:-2]
 
 """
@@ -33,9 +30,39 @@ TODO:
 """
 
 from xml.dom import minidom
+from xml.sax.saxutils import escape as _escape, unescape as _unescape
+
+escape_entities = {'"': '"',
+                   "'": ''',
+                   }
+
+unescape_entities = {'"': '"',
+                     ''': "'",
+                     }
+
+def escape(value, entities=None):
+    _ent = escape_entities
+    if entities is not None:
+        _ent = _ent.copy()
+        _ent.update(entities)
+    return _escape(value, entities)
+
+def unescape(value, entities=None):
+    _ent = unescape_entities
+    if entities is not None:
+        _ent = _ent.copy()
+        _ent.update(entities)
+    return _unescape(value, entities)
+
+# XXX latin-1 is hardcoded on OFS.PropertySheets as the expected
+# encoding properties will be stored in. Optimally, we should use the
+# same encoding as the 'default_encoding' property that is used for
+# the ZMI.
+zope_encoding = 'latin-1'
 
 class Node:
-    """ our nodes no matter what type """
+    """ Our nodes no matter what type
+    """
 
     node = None
 
@@ -43,9 +70,12 @@ class Node:
         self.node=node
 
     def elements(self, name=None, ns=None):
-        nodes=[ Node(n) for n in self.node.childNodes if n.nodeType == n.ELEMENT_NODE and \
-                                                   ((name is None) or ((n.localName.lower())==name)) and \
-                                                   ((ns is None) or (n.namespaceURI==ns)) ]
+        nodes = []
+        for n in self.node.childNodes:
+            if (n.nodeType == n.ELEMENT_NODE and
+                ((name is None) or ((n.localName.lower())==name)) and
+                ((ns is None) or (n.namespaceURI==ns))):
+                nodes.append(Element(n))
         return nodes
 
     def qname(self):
@@ -59,7 +89,7 @@ class Node:
         return self.node.toxml()
 
     def strval(self):
-        return self.toxml()
+        return self.toxml().encode(zope_encoding)
 
     def name(self):  return self.node.localName
     def attrs(self): return self.node.attributes
@@ -87,9 +117,23 @@ class Node:
             return "<Node %s (from %s)>" % (self.name(), self.namespace())
         else: return "<Node %s>" % self.name()
 
+class Element(Node):
+
+    def toxml(self):
+        # When dealing with Elements, we only want the Element's content.
+        result = u''
+        for n in self.node.childNodes:
+            value = n.toxml()
+            # Use unescape possibly escaped values.  We do this
+            # because the value is *always* escaped in it's XML
+            # representation, and if we store it escaped it will come
+            # out *double escaped* when doing a PROPFIND.
+            value = unescape(value, entities=unescape_entities)
+            result += value
+        return result
 
 class XmlParser:
-    """ simple wrapper around minidom to support the required 
+    """ Simple wrapper around minidom to support the required
     interfaces for zope.webdav
     """
 
@@ -99,6 +143,5 @@ class XmlParser:
         pass
 
     def parse(self, data):
-        self.dom=minidom.parseString(data)
+        self.dom = minidom.parseString(data)
         return Node(self.dom)
-