Mercurial > public > mercurial-scm > hg-stable

diff mercurial/minirst.py @ 18750:c9d923f5d8ae

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
minirst: CGI escape strings prior to embedding it in the HTML
author Dan Villiom Podlaski Christiansen <danchr@gmail.com>
date Sat, 09 Feb 2013 17:44:25 -0500
parents 8aa053b99c24
children 13aa81e2fded
line wrap: on
line diff
--- a/mercurial/minirst.py	Sat Feb 09 21:51:21 2013 +0000
+++ b/mercurial/minirst.py	Sat Feb 09 17:44:25 2013 -0500
@@ -22,6 +22,8 @@
 import util, encoding
 from i18n import _
 
+import cgi
+
 def section(s):
     return "%s\n%s\n\n" % (s, "\"" * encoding.colwidth(s))
 
@@ -524,6 +526,9 @@
     headernest = ''
     listnest = []
 
+    def escape(s):
+        return cgi.escape(s, True)
+
     def openlist(start, level):
         if not listnest or listnest[-1][0] != start:
             listnest.append((start, level))
@@ -537,34 +542,34 @@
         lines = b['lines']
 
         if btype == 'admonition':
-            admonition = _admonitiontitles[b['admonitiontitle']]
-            text = ' '.join(map(str.strip, lines))
+            admonition = escape(_admonitiontitles[b['admonitiontitle']])
+            text = escape(' '.join(map(str.strip, lines)))
             out.append('<p>\n<b>%s</b> %s\n</p>\n' % (admonition, text))
         elif btype == 'paragraph':
-            out.append('<p>\n%s\n</p>\n' % '\n'.join(lines))
+            out.append('<p>\n%s\n</p>\n' % escape('\n'.join(lines)))
         elif btype == 'margin':
             pass
         elif btype == 'literal':
-            out.append('<pre>\n%s\n</pre>\n' % '\n'.join(lines))
+            out.append('<pre>\n%s\n</pre>\n' % escape('\n'.join(lines)))
         elif btype == 'section':
             i = b['underline']
             if i not in headernest:
                 headernest += i
             level = headernest.index(i) + 1
-            out.append('<h%d>%s</h%d>\n' % (level, lines[0], level))
+            out.append('<h%d>%s</h%d>\n' % (level, escape(lines[0]), level))
         elif btype == 'table':
             table = b['table']
             t = []
             for row in table:
                 l = []
-                for v in zip(row):
-                    l.append('<td>%s</td>' % v)
+                for v in row:
+                    l.append('<td>%s</td>' % escape(v))
                 t.append(' <tr>%s</tr>\n' % ''.join(l))
             out.append('<table>\n%s</table>\n' % ''.join(t))
         elif btype == 'definition':
             openlist('dl', level)
-            term = lines[0]
-            text = ' '.join(map(str.strip, lines[1:]))
+            term = escape(lines[0])
+            text = escape(' '.join(map(str.strip, lines[1:])))
             out.append(' <dt>%s\n <dd>%s\n' % (term, text))
         elif btype == 'bullet':
             bullet, head = lines[0].split(' ', 1)
@@ -572,16 +577,16 @@
                 openlist('ul', level)
             else:
                 openlist('ol', level)
-            out.append(' <li> %s\n' % ' '.join([head] + lines[1:]))
+            out.append(' <li> %s\n' % escape(' '.join([head] + lines[1:])))
         elif btype == 'field':
             openlist('dl', level)
-            key = b['key']
-            text = ' '.join(map(str.strip, lines))
+            key = escape(b['key'])
+            text = escape(' '.join(map(str.strip, lines)))
             out.append(' <dt>%s\n <dd>%s\n' % (key, text))
         elif btype == 'option':
             openlist('dl', level)
-            opt = b['optstr']
-            desc = ' '.join(map(str.strip, lines))
+            opt = escape(b['optstr'])
+            desc = escape(' '.join(map(str.strip, lines)))
             out.append(' <dt>%s\n <dd>%s\n' % (opt, desc))
 
         # close lists if indent level of next block is lower