Mercurial > p > roundup > code

diff roundup/cgi/actions.py @ 5004:494d255043c9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Display errors containing HTML with RejectRaw (issue2550847) In general outputting un-escaped HTML in a message to the user is an unsafe operation, which is why error message are escaped by default. In some cases though it is desirable for a detector to include HTML within an error message. For these cases where HTML is required the RejectRaw exception can be used within the detector.
author John Kristensen <john@jerrykan.com>
date Sat, 10 Oct 2015 23:35:51 +1100
parents b562df8a5056
children 0428d2004a86
line wrap: on
line diff
--- a/roundup/cgi/actions.py	Sat Oct 10 23:07:17 2015 +1100
+++ b/roundup/cgi/actions.py	Sat Oct 10 23:35:51 2015 +1100
@@ -3,9 +3,9 @@
 from roundup import hyperdb, token, date, password
 from roundup.actions import Action as BaseAction
 from roundup.i18n import _
-import roundup.exceptions
 from roundup.cgi import exceptions, templating
 from roundup.mailgw import uidFromAddress
+from roundup.exceptions import Reject, RejectRaw
 from roundup.anypy import io_, urllib_
 
 __all__ = ['Action', 'ShowAction', 'RetireAction', 'SearchAction',
@@ -106,7 +106,7 @@
         """Retire the context item."""
         # ensure modification comes via POST
         if self.client.env['REQUEST_METHOD'] != 'POST':
-            raise roundup.exceptions.Reject(self._('Invalid request'))
+            raise Reject(self._('Invalid request'))
 
         # if we want to view the index template now, then unset the itemid
         # context info (a special-case for retire actions on the index page)
@@ -285,7 +285,7 @@
         """
         # ensure modification comes via POST
         if self.client.env['REQUEST_METHOD'] != 'POST':
-            raise roundup.exceptions.Reject(self._('Invalid request'))
+            raise Reject(self._('Invalid request'))
 
         # figure the properties list for the class
         cl = self.db.classes[self.classname]
@@ -606,7 +606,7 @@
         """
         # ensure modification comes via POST
         if self.client.env['REQUEST_METHOD'] != 'POST':
-            raise roundup.exceptions.Reject(self._('Invalid request'))
+            raise Reject(self._('Invalid request'))
 
         user_activity = self.lastUserActivity()
         if user_activity:
@@ -620,10 +620,10 @@
         # handle the props
         try:
             message = self._editnodes(props, links)
-        except (ValueError, KeyError, IndexError,
-                roundup.exceptions.Reject), message:
+        except (ValueError, KeyError, IndexError, Reject) as message:
+            escape = not isinstance(message, RejectRaw)
             self.client.add_error_message(
-                self._('Edit Error: %s') % str(message))
+                self._('Edit Error: %s') % str(message), escape=escape)
             return
 
         # commit now that all the tricky stuff is done
@@ -652,7 +652,7 @@
         '''
         # ensure modification comes via POST
         if self.client.env['REQUEST_METHOD'] != 'POST':
-            raise roundup.exceptions.Reject(self._('Invalid request'))
+            raise Reject(self._('Invalid request'))
 
         # parse the props from the form
         try:
@@ -666,10 +666,11 @@
         try:
             # when it hits the None element, it'll set self.nodeid
             messages = self._editnodes(props, links)
-        except (ValueError, KeyError, IndexError,
-                roundup.exceptions.Reject), message:
+        except (ValueError, KeyError, IndexError, Reject) as message:
+            escape = not isinstance(message, RejectRaw)
             # these errors might just be indicative of user dumbness
-            self.client.add_error_message(_('Error: %s') % str(message))
+            self.client.add_error_message(_('Error: %s') % str(message),
+                                          escape=escape)
             return
 
         # commit now that all the tricky stuff is done
@@ -833,7 +834,7 @@
         """
         # ensure modification comes via POST
         if self.client.env['REQUEST_METHOD'] != 'POST':
-            raise roundup.exceptions.Reject(self._('Invalid request'))
+            raise Reject(self._('Invalid request'))
 
         # parse the props from the form
         try:
@@ -849,10 +850,11 @@
             try:
                 # when it hits the None element, it'll set self.nodeid
                 messages = self._editnodes(props, links)
-            except (ValueError, KeyError, IndexError,
-                    roundup.exceptions.Reject), message:
+            except (ValueError, KeyError, IndexError, Reject) as message:
+                escape = not isinstance(message, RejectRaw)
                 # these errors might just be indicative of user dumbness
-                self.client.add_error_message(_('Error: %s') % str(message))
+                self.client.add_error_message(_('Error: %s') % str(message),
+                                              escape=escape)
                 return
 
             # fix up the initial roles
@@ -957,7 +959,7 @@
         """
         # ensure modification comes via POST
         if self.client.env['REQUEST_METHOD'] != 'POST':
-            raise roundup.exceptions.Reject(self._('Invalid request'))
+            raise Reject(self._('Invalid request'))
 
         # we need the username at a minimum
         if '__login_name' not in self.form:
Roundup Issue Tracker: http://roundup-tracker.org/