Mercurial > p > roundup > code
diff roundup/cgi/templating.py @ 3782:51c07c04d258
clean up input field generation and quoting of values [SF#1615616]
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Mon, 18 Dec 2006 03:50:47 +0000 |
| parents | ee73abcc95d2 |
| children | edefe9ccfbba |
line wrap: on
line diff
--- a/roundup/cgi/templating.py Mon Dec 18 03:33:12 2006 +0000 +++ b/roundup/cgi/templating.py Mon Dec 18 03:50:47 2006 +0000 @@ -410,12 +410,14 @@ def input_html4(**attrs): """Generate an 'input' (html4) element with given attributes""" _set_input_default_args(attrs) - return '<input %s>'%' '.join(['%s="%s"'%item for item in attrs.items()]) + return '<input %s>'%' '.join(['%s="%s"'%(k,cgi.escape(str(v), True)) + for k,v in attrs.items()]) def input_xhtml(**attrs): """Generate an 'input' (xhtml) element with given attributes""" _set_input_default_args(attrs) - return '<input %s/>'%' '.join(['%s="%s"'%item for item in attrs.items()]) + return '<input %s/>'%' '.join(['%s="%s"'%(k,cgi.escape(str(v), True)) + for k,v in attrs.items()]) class HTMLInputMixin: ''' requires a _client property ''' @@ -1328,12 +1330,9 @@ if not self.is_edit_ok(): return self.plain() - if self._value is None: + value = self._value + if value is None: value = '' - else: - value = cgi.escape(str(self._value)) - - value = '"'.join(value.split('"')) kwargs.setdefault("size", 30) kwargs.update({"name": self._formname, "value": value}) @@ -1436,13 +1435,11 @@ if not self.is_edit_ok(): return self.plain() - if self._value is None: + value = self._value + if value is None: value = '' - else: - value = cgi.escape(str(self._value)) - - value = '"'.join(value.split('"')) - return self.input(name=self._formname,value=value,size=size) + + return self.input(name=self._formname, value=value, size=size) def __int__(self): ''' Return an int of me @@ -1582,7 +1579,7 @@ 'or string date representation.') elif isinstance(value, str) or isinstance(value, unicode): # most likely erroneous input to be passed back to user - value = cgi.escape(str(value), 1) + if isinstance(value, unicode): value = value.encode('utf8') return self.input(name=self._formname, value=value, size=size) else: raw_value = value @@ -1603,7 +1600,6 @@ if format is not self._marker: value = value.pretty(format) - value = cgi.escape(str(value), 1) s = self.input(name=self._formname, value=value, size=size) if popcal: s += self.popcal() @@ -1707,13 +1703,11 @@ if not self.is_edit_ok(): return self.plain() - if self._value is None: + value = self._value + if value is None: value = '' - else: - value = cgi.escape(str(self._value)) - - value = '"'.join(value.split('"')) - return self.input(name=self._formname,value=value,size=size) + + return self.input(name=self._formname, value=value, size=size) class LinkHTMLProperty(HTMLProperty): ''' Link HTMLProperty @@ -1778,11 +1772,7 @@ value = linkcl.get(self._value, k) else: value = self._value - value = cgi.escape(str(value)) - value = '"'.join(value.split('"')) - return self.input(name=self._formname, - value=value, - size=size) + return self.input(name=self._formname, value=value, size=size) def menu(self, size=None, height=None, showid=0, additional=[], value=None, sort_on=None, **conditions): @@ -1973,8 +1963,8 @@ if not showid: k = linkcl.labelprop(1) value = lookupKeys(linkcl, k, value) - value = cgi.escape(','.join(value)) - return self.input(name=self._formname,size=size,value=value) + value = ','.join(value) + return self.input(name=self._formname, size=size, value=value) def menu(self, size=None, height=None, showid=0, additional=[], value=None, sort_on=None, **conditions): @@ -2328,9 +2318,10 @@ ''' return the current index args as form elements ''' l = [] sc = self.special_char - s = self.input(type="hidden",name="%s",value="%s") + def add(k, v): + l.append(self.input(type="hidden", name=k, value=v)) if columns and self.columns: - l.append(s%(sc+'columns', ','.join(self.columns))) + add(sc+'columns', ','.join(self.columns)) if sort: val = [] for dir, attr in self.sort: @@ -2338,7 +2329,7 @@ val.append('-'+attr) else: val.append(attr) - l.append(s%(sc+'sort', ','.join (val))) + add(sc+'sort', ','.join (val)) if group: val = [] for dir, attr in self.group: @@ -2346,23 +2337,23 @@ val.append('-'+attr) else: val.append(attr) - l.append(s%(sc+'group', ','.join (val))) + add(sc+'group', ','.join (val)) if filter and self.filter: - l.append(s%(sc+'filter', ','.join(self.filter))) + add(sc+'filter', ','.join(self.filter)) if self.classname and filterspec: props = self.client.db.getclass(self.classname).getprops() for k,v in self.filterspec.items(): if type(v) == type([]): if isinstance(props[k], hyperdb.String): - l.append(s%(k, ' '.join(v))) + add(k, ' '.join(v)) else: - l.append(s%(k, ','.join(v))) + add(k, ','.join(v)) else: - l.append(s%(k, v)) + add(k, v) if search_text and self.search_text: - l.append(s%(sc+'search_text', self.search_text)) - l.append(s%(sc+'pagesize', self.pagesize)) - l.append(s%(sc+'startwith', self.startwith)) + add(sc+'search_text', self.search_text) + add(sc+'pagesize', self.pagesize) + add(sc+'startwith', self.startwith) return '\n'.join(l) def indexargs_url(self, url, args):