Mercurial > p > roundup > code

view website/issues/extensions/timezone.py @ 8365:4ac0bbb3e440

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
bug(security): CVE-2025-53865 - XSS bug Extensive fixes in devel, responsive templates known to be exploitable. Similar constructs in classic and minimal templates not known to be exploitable, but changed anyway. doc/upgrading.txt: Reformat to 66 characters. Update with assigned CVE number. Add section on fixing tal:replace with unsafe data. Document analysis and assumptions in comment in file. doc/security.txt: Update with CVE number.
author John Rouillard <rouilj@ieee.org>
date Fri, 11 Jul 2025 19:30:27 -0400
parents 7d8e0dbb0852
children
line wrap: on
line source

# Utility for replacing the simple input field for the timezone with
# a select-field that lists the available values.

import cgi

try:
    import pytz
except ImportError:
    pytz = None


def tzfield(prop, name, default):
    if pytz:
        value = prop.plain()        
        if '' == value:
            value = default
        else:
            try:
                value = "Etc/GMT%+d" % int(value)
            except ValueError:
                pass

        l = ['<select name="%s">' % name]
        for zone in pytz.all_timezones:
            s = ' '
            if zone == value:
                s = 'selected=selected '
            z = cgi.escape(zone)
            l.append('<option %svalue="%s">%s</option>' % (s, z, z))
        l.append('</select>')
        return '\n'.join(l)
        
    else:
        return prop.field()

def init(instance):
    instance.registerUtil('tzfield', tzfield)
Roundup Issue Tracker: http://roundup-tracker.org/