Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Z
Zope
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
Zope
Commits
5c6fd9e9
Commit
5c6fd9e9
authored
Jan 29, 2014
by
Nathan Van Gheem
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
merge hotfixes from Products.PloneHotfix20131210
parent
230d8f46
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
38 additions
and
17 deletions
+38
-17
src/OFS/Image.py
src/OFS/Image.py
+14
-15
src/OFS/tests/testFileAndImage.py
src/OFS/tests/testFileAndImage.py
+9
-0
src/Products/Sessions/BrowserIdManager.py
src/Products/Sessions/BrowserIdManager.py
+1
-2
src/Products/Sessions/tests/testBrowserIdManager.py
src/Products/Sessions/tests/testBrowserIdManager.py
+14
-0
No files found.
src/OFS/Image.py
View file @
5c6fd9e9
...
...
@@ -838,21 +838,20 @@ class Image(File):
security
.
declareProtected
(
View
,
'tag'
)
def
tag
(
self
,
height
=
None
,
width
=
None
,
alt
=
None
,
scale
=
0
,
xscale
=
0
,
yscale
=
0
,
css_class
=
None
,
title
=
None
,
**
args
):
"""
Generate an HTML IMG tag for this image, with customization.
Arguments to self.tag() can be any valid attributes of an IMG tag.
'src' will always be an absolute pathname, to prevent redundant
downloading of images. Defaults are applied intelligently for
'height', 'width', and 'alt'. If specified, the 'scale', 'xscale',
and 'yscale' keyword arguments will be used to automatically adjust
the output height and width values of the image tag.
Since 'class' is a Python reserved word, it cannot be passed in
directly in keyword arguments which is a problem if you are
trying to use 'tag()' to include a CSS class. The tag() method
will accept a 'css_class' argument that will be converted to
'class' in the output tag to work around this.
"""
#Generate an HTML IMG tag for this image, with customization.
#Arguments to self.tag() can be any valid attributes of an IMG tag.
#'src' will always be an absolute pathname, to prevent redundant
#downloading of images. Defaults are applied intelligently for
#'height', 'width', and 'alt'. If specified, the 'scale', 'xscale',
#and 'yscale' keyword arguments will be used to automatically adjust
#the output height and width values of the image tag.
#Since 'class' is a Python reserved word, it cannot be passed in
#directly in keyword arguments which is a problem if you are
#trying to use 'tag()' to include a CSS class. The tag() method
#will accept a 'css_class' argument that will be converted to
#'class' in the output tag to work around this.
if
height
is
None
:
height
=
self
.
height
if
width
is
None
:
width
=
self
.
width
...
...
src/OFS/tests/testFileAndImage.py
View file @
5c6fd9e9
...
...
@@ -353,8 +353,17 @@ class ImageTests(FileTests):
verifyClass
(
IWriteLock
,
Image
)
class
ImagePublishTests
(
Testing
.
ZopeTestCase
.
FunctionalTestCase
):
def
testTagSafe
(
self
):
self
.
app
.
manage_addImage
(
"image"
,
""
)
res
=
self
.
publish
(
"/image/tag?height=0&width=0&css_class=%22%3E%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert('evil')%3B%3C%2Fscript%3E%3Cdiv%20class%3D%22"
)
self
.
assertNotIn
(
'<script type="text/javascript">alert(
\
'
evil
\
'
);</script>'
,
res
.
getBody
())
def
test_suite
():
return
unittest
.
TestSuite
((
unittest
.
makeSuite
(
FileTests
),
unittest
.
makeSuite
(
ImageTests
),
unittest
.
makeSuite
(
ImagePublishTests
)
))
src/Products/Sessions/BrowserIdManager.py
View file @
5c6fd9e9
...
...
@@ -266,8 +266,7 @@ class BrowserIdManager(Item, Persistent, Implicit, RoleManager, Owned, Tabs):
security
.
declareProtected
(
ACCESS_CONTENTS_PERM
,
'encodeUrl'
)
def
encodeUrl
(
self
,
url
,
style
=
'querystring'
,
create
=
1
):
""" See IBrowserIdManager.
"""
# See IBrowserIdManager
bid
=
self
.
getBrowserId
(
create
)
if
bid
is
None
:
raise
BrowserIdManagerErr
(
'There is no current browser id.'
)
...
...
src/Products/Sessions/tests/testBrowserIdManager.py
View file @
5c6fd9e9
...
...
@@ -14,6 +14,7 @@
Test suite for session id manager.
"""
import
unittest
import
Testing
class
TestBrowserIdManager
(
unittest
.
TestCase
):
...
...
@@ -642,6 +643,18 @@ class TestBrowserIdManagerTraverser(unittest.TestCase):
self
.
assertEqual
(
request
.
_script
[
1
],
bid
)
class
TestBrowserIdManagerPublish
(
Testing
.
ZopeTestCase
.
FunctionalTestCase
):
def
test_encodeUrl_safe
(
self
):
from
OFS.Application
import
AppInitializer
init
=
AppInitializer
(
self
.
app
)
init
.
install_browser_id_manager
()
res
=
self
.
publish
(
'/browser_id_manager/encodeUrl?url=%3Chtml%3EEVIL%2Fhtml%3E%3C!--'
)
self
.
assertNotIn
(
"<html>EVIL/html>"
,
res
.
getBody
())
class
DummyObject
:
def
__init__
(
self
,
**
kw
):
self
.
__dict__
.
update
(
kw
)
...
...
@@ -667,4 +680,5 @@ def test_suite():
return
unittest
.
TestSuite
((
unittest
.
makeSuite
(
TestBrowserIdManager
),
unittest
.
makeSuite
(
TestBrowserIdManagerTraverser
),
unittest
.
makeSuite
(
TestBrowserIdManagerPublish
),
))
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment