From 6498ce916a85586d62cdb37953dad0345d21f7e5 Mon Sep 17 00:00:00 2001 From: Oleg Broytman Date: Fri, 25 May 2018 04:53:59 +0300 Subject: [PATCH] Fix(web): Escape attributes values and texts --- m_librarian/web/views/books_by_author.py | 47 +++++++++++----------- m_librarian/web/views/books_by_author.tmpl | 5 ++- 2 files changed, 27 insertions(+), 25 deletions(-) diff --git a/m_librarian/web/views/books_by_author.py b/m_librarian/web/views/books_by_author.py index 1ae6dc1..c0e2ab8 100644 --- a/m_librarian/web/views/books_by_author.py +++ b/m_librarian/web/views/books_by_author.py @@ -25,6 +25,7 @@ from Cheetah.CacheRegion import CacheRegion import Cheetah.Filters as Filters import Cheetah.ErrorCatchers as ErrorCatchers from Cheetah.compat import unicode +import cgi from views.layout import layout ################################################## @@ -35,10 +36,10 @@ VFN=valueForName currentTime=time.time __CHEETAH_version__ = '3.1.0' __CHEETAH_versionTuple__ = (3, 1, 0, 'final', 1) -__CHEETAH_genTime__ = 1527212249.002131 -__CHEETAH_genTimestamp__ = 'Fri May 25 04:37:29 2018' +__CHEETAH_genTime__ = 1527213181.482462 +__CHEETAH_genTimestamp__ = 'Fri May 25 04:53:01 2018' __CHEETAH_src__ = 'books_by_author.tmpl' -__CHEETAH_srcLastModified__ = 'Fri May 25 04:37:19 2018' +__CHEETAH_srcLastModified__ = 'Fri May 25 04:52:59 2018' __CHEETAH_docstring__ = 'Autogenerated by Cheetah: The Python-Powered Template Engine' if __CHEETAH_versionTuple__ < RequiredCheetahVersionTuple: @@ -71,7 +72,7 @@ class books_by_author(layout): - ## CHEETAH: generated from #def body at line 4, col 1. + ## CHEETAH: generated from #def body at line 5, col 1. trans = KWS.get("trans") if (not trans and not self._CHEETAH__isBuffering and not callable(self.transaction)): trans = self.transaction # is None unless self.awake() was called @@ -87,49 +88,49 @@ class books_by_author(layout): ## START - generated method body write(u'''

''') - _v = VFFSL(SL,"title",True) # u'$title' on line 5, col 5 - if _v is not None: write(_filter(_v, rawExpr=u'$title')) # from line 5, col 5. + _v = VFFSL(SL,"title",True) # u'$title' on line 6, col 5 + if _v is not None: write(_filter(_v, rawExpr=u'$title')) # from line 6, col 5. write(u''' ''') - _v = VFFSL(SL,"author.fullname",True) # u'$author.fullname' on line 5, col 12 - if _v is not None: write(_filter(_v, rawExpr=u'$author.fullname')) # from line 5, col 12. + _v = VFFSL(SL,"author.fullname",True) # u'$author.fullname' on line 6, col 12 + if _v is not None: write(_filter(_v, rawExpr=u'$author.fullname')) # from line 6, col 12. write(u'''

''') - if VFFSL(SL,"books",True): # generated from line 7, col 1 + if VFFSL(SL,"books",True): # generated from line 8, col 1 write(u'''
''') - else: # generated from line 30, col 1 + else: # generated from line 31, col 1 write(u'''

\u041d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d\u043e \u043d\u0438 \u043e\u0434\u043d\u043e\u0439 \u043a\u043d\u0438\u0433\u0438!

''') diff --git a/m_librarian/web/views/books_by_author.tmpl b/m_librarian/web/views/books_by_author.tmpl index 96897e9..668e445 100644 --- a/m_librarian/web/views/books_by_author.tmpl +++ b/m_librarian/web/views/books_by_author.tmpl @@ -1,4 +1,5 @@ #encoding utf-8 +#import cgi #extends views.layout #attr $title = 'Список книг автора' #def body @@ -16,13 +17,13 @@ #set $series = $book.series #end if - + #end for -- 2.39.5