[Erp5-report] r21116 - /erp5/trunk/products/ERP5Form/FormulatorPatch.py

nobody at svn.erp5.org nobody at svn.erp5.org
Mon May 26 10:58:33 CEST 2008 

Author: jerome
Date: Mon May 26 10:58:31 2008
New Revision: 21116

URL: http://svn.erp5.org?rev=21116&view=rev
Log:
escape html entities that might be contained in items for items widgets

Modified:
    erp5/trunk/products/ERP5Form/FormulatorPatch.py

Modified: erp5/trunk/products/ERP5Form/FormulatorPatch.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Form/FormulatorPatch.py?rev=21116&r1=21115&r2=21116&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Form/FormulatorPatch.py (original)
+++ erp5/trunk/products/ERP5Form/FormulatorPatch.py Mon May 26 10:58:31 2008
@@ -657,6 +657,7 @@
 
   # XXX We want to make sure that we always have the current value in items. -yo
   if not selected_found and value:
+      value = escape(value)
       rendered_item = self.render_selected_item('??? (%s)' % value,
                                                 value,
                                                 key,
@@ -693,20 +694,22 @@
           item_value = item
 
       if item_value in value:
-          rendered_item = self.render_selected_item(item_text,
-                                                    item_value,
-                                                    key,
-                                                    css_class,
-                                                    extra_item)
+          rendered_item = self.render_selected_item(
+              escape(str(item_text)).replace(' ', ' '),
+              escape(str(item_value)),
+              key,
+              css_class,
+              extra_item)
           # XXX -yo
           index = value.index(item_value)
           selected_found[index] = 1
       else:
-          rendered_item = self.render_item(item_text,
-                                           item_value,
-                                           key,
-                                           css_class,
-                                           extra_item)
+          rendered_item = self.render_item(
+               escape(str(item_text)).replace(' ', ' '),
+               escape(str(item_value)),
+               key,
+               css_class,
+               extra_item)
 
       rendered_items.append(rendered_item)
 
@@ -714,6 +717,7 @@
   for index in range(len(value)):
     v = value[index]
     if index not in selected_found and v:
+      v = escape(v)
       rendered_item = self.render_selected_item('??? (%s)' % v,
                                                 v,
                                                 key,
@@ -783,7 +787,7 @@
       return ''
   title_list = [x[0] for x in field.get_value("items", REQUEST=REQUEST) if x[1]==value]
   if len(title_list) == 0:
-    return "??? (%s)" % value
+    return "??? (%s)" % escape(value)
   else:
     return title_list[0]
   return value

More information about the Erp5-report mailing list