[Erp5-report] r21116 - /erp5/trunk/products/ERP5Form/FormulatorPatch.py
nobody at svn.erp5.org
nobody at svn.erp5.org
Mon May 26 10:58:33 CEST 2008
Author: jerome
Date: Mon May 26 10:58:31 2008
New Revision: 21116
URL: http://svn.erp5.org?rev=21116&view=rev
Log:
escape html entities that might be contained in items for items widgets
Modified:
erp5/trunk/products/ERP5Form/FormulatorPatch.py
Modified: erp5/trunk/products/ERP5Form/FormulatorPatch.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Form/FormulatorPatch.py?rev=21116&r1=21115&r2=21116&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Form/FormulatorPatch.py (original)
+++ erp5/trunk/products/ERP5Form/FormulatorPatch.py Mon May 26 10:58:31 2008
@@ -657,6 +657,7 @@
# XXX We want to make sure that we always have the current value in items. -yo
if not selected_found and value:
+ value = escape(value)
rendered_item = self.render_selected_item('??? (%s)' % value,
value,
key,
@@ -693,20 +694,22 @@
item_value = item
if item_value in value:
- rendered_item = self.render_selected_item(item_text,
- item_value,
- key,
- css_class,
- extra_item)
+ rendered_item = self.render_selected_item(
+ escape(str(item_text)).replace(' ', ' '),
+ escape(str(item_value)),
+ key,
+ css_class,
+ extra_item)
# XXX -yo
index = value.index(item_value)
selected_found[index] = 1
else:
- rendered_item = self.render_item(item_text,
- item_value,
- key,
- css_class,
- extra_item)
+ rendered_item = self.render_item(
+ escape(str(item_text)).replace(' ', ' '),
+ escape(str(item_value)),
+ key,
+ css_class,
+ extra_item)
rendered_items.append(rendered_item)
@@ -714,6 +717,7 @@
for index in range(len(value)):
v = value[index]
if index not in selected_found and v:
+ v = escape(v)
rendered_item = self.render_selected_item('??? (%s)' % v,
v,
key,
@@ -783,7 +787,7 @@
return ''
title_list = [x[0] for x in field.get_value("items", REQUEST=REQUEST) if x[1]==value]
if len(title_list) == 0:
- return "??? (%s)" % value
+ return "??? (%s)" % escape(value)
else:
return title_list[0]
return value
More information about the Erp5-report
mailing list