Mercurial Repository: p/roundup/code: roundup/cgi/templating.py comparison

comparison roundup/cgi/templating.py @ 5800:1a835db41674

Call cgi.escape only on python 2. Replace with html.escapeif it can be found.

author	John Rouillard <rouilj@ieee.org>
date	Tue, 11 Jun 2019 21:29:24 -0400
parents	97e2125e064c
children	936275dfe1fa

comparison

equal deleted inserted replaced

-:7ba0ee980fc7
+:1a835db41674
 import base64, cgi, re, os.path, mimetypes, csv, string
 import calendar
 import textwrap
 import time, hashlib
+try:
+from html import escape as html_escape  # python 3
+except ImportError:
+from cgi import escape as html_escape   # python 2 fallback
 from roundup.anypy import urllib_
 from roundup import hyperdb, date, support
 from roundup import i18n
 from roundup.i18n import _
 dic['id'] = dic['name']
 except KeyError:
 pass
 def cgi_escape_attrs(**attrs):
-return ' '.join(['%s="%s"'%(k,cgi.escape(str(v), True))
+return ' '.join(['%s="%s"'%(k,html_escape(str(v), True))
 for k,v in sorted(attrs.items())])
 def input_html4(**attrs):
 """Generate an 'input' (html4) element with given attributes"""
 _set_input_default_args(attrs)
 # there's no labelprop!
 try:
 if labelprop is not None and \
 labelprop != 'id':
 label = linkcl.get(linkid, labelprop)
-label = cgi.escape(label)
+label = html_escape(label)
 except IndexError:
 comments['no_link'] = self._(
 "<strike>The linked node"
 " no longer exists</strike>")
 subml.append('<strike>%s</strike>'%label)
 # if we have a label property, try to use it
 # TODO: test for node existence even when
 # there's no labelprop!
 if labelprop is not None and labelprop != 'id':
 try:
-label = cgi.escape(linkcl.get(args[k],
+label = html_escape(linkcl.get(args[k],
 labelprop))
 except IndexError:
 comments['no_link'] = self._(
 "<strike>The linked node"
 " no longer exists</strike>")
 if k in current and current[k] is not None:
 cell[-1] += ' -> %s'%current[k]
 current[k] = val
 elif isinstance(prop, hyperdb.String) and args[k]:
-val = cgi.escape(args[k])
+val = html_escape(args[k])
 cell.append('%s: %s'%(self._(k), val))
 if k in current and current[k] is not None:
 cell[-1] += ' -> %s'%current[k]
 current[k] = val
 # if the user's an itemid, figure the username (older journals
 # have the username)
 if dre.match(user):
 user = self._db.user.get(user, 'username')
 l.append('<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>'%(
-date_s, cgi.escape(user), self._(action), arg_s))
+date_s, html_escape(user), self._(action), arg_s))
 if comments:
 l.append(self._(
 '<tr><td colspan=4><strong>Note:</strong></td></tr>'))
 for entry in comments.values():
 l.append('<tr><td colspan=4>%s</td></tr>'%entry)
 return self._('[hidden]')
 if self._value is None:
 return ''
 if escape:
-s = cgi.escape(str(self._value))
+s = html_escape(str(self._value))
 else:
 s = str(self._value)
 if hyperlink:
 # no, we *must* escape this text
 if not escape:
-s = cgi.escape(s)
+s = html_escape(s)
 s = self.hyper_re.sub(self._hyper_repl, s)
 return s
 def wrapped(self, escape=1, hyperlink=1):
 """Render a "wrapped" representation of the property.
 if self._value is None:
 return ''
 s = '\n'.join(textwrap.wrap(str(self._value), 80))
 if escape:
-s = cgi.escape(s)
+s = html_escape(s)
 if hyperlink:
 # no, we *must* escape this text
 if not escape:
-s = cgi.escape(s)
+s = html_escape(s)
 s = self.hyper_re.sub(self._hyper_repl, s)
 return s
 def stext(self, escape=0, hyperlink=1):
 """ Render the value of the property as StructuredText.
 return '<pre>%s</pre>'%self.plain()
 if self._value is None:
 value = ''
 else:
-value = cgi.escape(str(self._value))
+value = html_escape(str(self._value))
 value = '&quot;'.join(value.split('"'))
 name = self._formname
 passthrough_args = cgi_escape_attrs(**kwargs)
 return ('<textarea %(passthrough_args)s name="%(name)s" id="%(name)s"'
 name = name.replace('.', ' ')
 value = '%s at %s ...'%(name, domain)
 else:
 value = value.replace('.', ' ')
 if escape:
-value = cgi.escape(value)
+value = html_escape(value)
 return value
 class PasswordHTMLProperty(HTMLProperty):
 def plain(self, escape=0):
 """ Render a "plain" representation of the property
 try:
 value = self._value.dummystr()
 except AttributeError:
 value = self._('[hidden]')
 if escape:
-value = cgi.escape(value)
+value = html_escape(value)
 return value
 def field(self, size=30, **kwargs):
 """ Render a form edit field for the property.
 except IndexError:
 value = self._value
 else :
 value = self._value
 if escape:
-value = cgi.escape(value)
+value = html_escape(value)
 return value
 def field(self, showid=0, size=None, **kwargs):
 """ Render a form edit field for the property
 # and generate
 tr = str
 if translate:
 tr = self._
-lab = cgi.escape(tr(lab))
+lab = html_escape(tr(lab))
 l.append('<option %svalue="%s">%s</option>'%(s, optionid, lab))
 l.append('</select>')
 return '\n'.join(l)
 #    def checklist(self, ...)
 else:
 label = v
 labels.append(label)
 value = ', '.join(labels)
 if escape:
-value = cgi.escape(value)
+value = html_escape(value)
 return value
 def field(self, size=30, showid=0, **kwargs):
 """ Render a form edit field for the property
 # and generate
 tr = str
 if translate:
 tr = self._
-lab = cgi.escape(tr(lab))
+lab = html_escape(tr(lab))
 l.append('<option %svalue="%s">%s</option>'%(s, optionid,
 lab))
 l.append('</select>')
 return '\n'.join(l)
 """URL-quote the supplied text."""
 return urllib_.quote(url)
 def html_quote(self, html):
 """HTML-quote the supplied text."""
-return cgi.escape(html)
+return html_escape(html)
 def __getattr__(self, name):
 """Try the tracker's templating_utils."""
 if not hasattr(self.client.instance, 'templating_utils'):
 # backwards-compatibility

Mercurial > p > roundup > code

comparison roundup/cgi/templating.py @ 5800:1a835db41674