Commit dffe898e authored by Jérome Perrin's avatar Jérome Perrin

escape html entities that might be contained in items for items widgets


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21116 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 76d79fec
...@@ -657,6 +657,7 @@ def SingleItemsWidget_render_items(self, field, key, value, REQUEST): ...@@ -657,6 +657,7 @@ def SingleItemsWidget_render_items(self, field, key, value, REQUEST):
# XXX We want to make sure that we always have the current value in items. -yo # XXX We want to make sure that we always have the current value in items. -yo
if not selected_found and value: if not selected_found and value:
value = escape(value)
rendered_item = self.render_selected_item('??? (%s)' % value, rendered_item = self.render_selected_item('??? (%s)' % value,
value, value,
key, key,
...@@ -693,8 +694,9 @@ def MultiItemsWidget_render_items(self, field, key, value, REQUEST): ...@@ -693,8 +694,9 @@ def MultiItemsWidget_render_items(self, field, key, value, REQUEST):
item_value = item item_value = item
if item_value in value: if item_value in value:
rendered_item = self.render_selected_item(item_text, rendered_item = self.render_selected_item(
item_value, escape(str(item_text)).replace(' ', ' '),
escape(str(item_value)),
key, key,
css_class, css_class,
extra_item) extra_item)
...@@ -702,8 +704,9 @@ def MultiItemsWidget_render_items(self, field, key, value, REQUEST): ...@@ -702,8 +704,9 @@ def MultiItemsWidget_render_items(self, field, key, value, REQUEST):
index = value.index(item_value) index = value.index(item_value)
selected_found[index] = 1 selected_found[index] = 1
else: else:
rendered_item = self.render_item(item_text, rendered_item = self.render_item(
item_value, escape(str(item_text)).replace(' ', ' '),
escape(str(item_value)),
key, key,
css_class, css_class,
extra_item) extra_item)
...@@ -714,6 +717,7 @@ def MultiItemsWidget_render_items(self, field, key, value, REQUEST): ...@@ -714,6 +717,7 @@ def MultiItemsWidget_render_items(self, field, key, value, REQUEST):
for index in range(len(value)): for index in range(len(value)):
v = value[index] v = value[index]
if index not in selected_found and v: if index not in selected_found and v:
v = escape(v)
rendered_item = self.render_selected_item('??? (%s)' % v, rendered_item = self.render_selected_item('??? (%s)' % v,
v, v,
key, key,
...@@ -783,7 +787,7 @@ def ListWidget_render_view(self, field, value, REQUEST=None): ...@@ -783,7 +787,7 @@ def ListWidget_render_view(self, field, value, REQUEST=None):
return '' return ''
title_list = [x[0] for x in field.get_value("items", REQUEST=REQUEST) if x[1]==value] title_list = [x[0] for x in field.get_value("items", REQUEST=REQUEST) if x[1]==value]
if len(title_list) == 0: if len(title_list) == 0:
return "??? (%s)" % value return "??? (%s)" % escape(value)
else: else:
return title_list[0] return title_list[0]
return value return value
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment