Commit 9657f85a authored by Stefan H. Holek's avatar Stefan H. Holek

ZTUtils.make_hidden_input did not escape double-quotes.

Fixes http://www.zope.org/Collectors/Zope/2175
parent b17b217e
...@@ -8,6 +8,8 @@ Zope Changes ...@@ -8,6 +8,8 @@ Zope Changes
Bugs fixed Bugs fixed
- Collector #2175: ZTUtils.make_hidden_input did not escape double-quotes.
- Collector #1907: Moved 'alt' property from File to Image. - Collector #1907: Moved 'alt' property from File to Image.
- Collector #1983: Specifying session-resolution-seconds >= 1200 caused - Collector #1983: Specifying session-resolution-seconds >= 1200 caused
......
...@@ -200,7 +200,7 @@ def make_hidden_input(*args, **kwargs): ...@@ -200,7 +200,7 @@ def make_hidden_input(*args, **kwargs):
d.update(arg) d.update(arg)
d.update(kwargs) d.update(kwargs)
hq = cgi.escape hq = lambda x:cgi.escape(x, quote=True)
qlist = complex_marshal(d.items()) qlist = complex_marshal(d.items())
for i in range(len(qlist)): for i in range(len(qlist)):
k, m, v = qlist[i] k, m, v = qlist[i]
......
...@@ -5,6 +5,7 @@ from unittest import TestCase, makeSuite, main ...@@ -5,6 +5,7 @@ from unittest import TestCase, makeSuite, main
import string import string
import urllib import urllib
from ZTUtils.Zope import make_query, complex_marshal from ZTUtils.Zope import make_query, complex_marshal
from ZTUtils.Zope import make_hidden_input
from DateTime import DateTime from DateTime import DateTime
class QueryTests(TestCase): class QueryTests(TestCase):
...@@ -50,6 +51,18 @@ class QueryTests(TestCase): ...@@ -50,6 +51,18 @@ class QueryTests(TestCase):
record=record, string=str_) record=record, string=str_)
assert query == 'date:date=%s&integer:int=1&listing:int:list=1&listing:date:list=%s&listing:list=str&string=str&record.arg1:int:list:record=1&record.arg1:date:list:record=%s&record.arg1:list:record=str&record.arg2:int:record=1'%(quote_date,quote_date,quote_date) assert query == 'date:date=%s&integer:int=1&listing:int:list=1&listing:date:list=%s&listing:list=str&string=str&record.arg1:int:list:record=1&record.arg1:date:list:record=%s&record.arg1:list:record=str&record.arg2:int:record=1'%(quote_date,quote_date,quote_date)
def testMakeHiddenInput(self):
tag = make_hidden_input(foo='bar')
self.assertEqual(tag, '<input type="hidden" name="foo" value="bar">')
tag = make_hidden_input(foo=1)
self.assertEqual(tag, '<input type="hidden" name="foo:int" value="1">')
# Escaping
tag = make_hidden_input(foo='bar & baz')
self.assertEqual(tag, '<input type="hidden" name="foo" value="bar &amp; baz">')
tag = make_hidden_input(foo='<bar>')
self.assertEqual(tag, '<input type="hidden" name="foo" value="&lt;bar&gt;">')
tag = make_hidden_input(foo='"bar"')
self.assertEqual(tag, '<input type="hidden" name="foo" value="&quot;bar&quot;">')
def test_suite(): def test_suite():
return makeSuite(QueryTests) return makeSuite(QueryTests)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment