# HG changeset patch # User sylvain.thenault@logilab.fr # Date 1233325770 -3600 # Node ID 9b56df97ec5f6c3de9ea6e33b697098591fb922a # Parent 6e84e93fa7ec9c31f5004e30228ecafeb5b14e66 fix xml views: ensure we're generating valide tag names (rsetxml), protect against control characters in xml view (should probably be generalized...) diff -r 6e84e93fa7ec -r 9b56df97ec5f web/views/baseviews.py --- a/web/views/baseviews.py Fri Jan 30 15:26:51 2009 +0100 +++ b/web/views/baseviews.py Fri Jan 30 15:29:30 2009 +0100 @@ -19,14 +19,14 @@ from rql import nodes from logilab.common.decorators import cached -from logilab.mtconverter import html_escape, TransformError +from logilab.mtconverter import TransformError, html_escape, xml_escape from cubicweb import Unauthorized, NoSelectableObject, typed_eid from cubicweb.common.selectors import (yes, nonempty_rset, accept, one_line_rset, match_search_state, match_form_params, accept_rset) from cubicweb.common.uilib import (cut, printable_value, UnicodeCSVWriter, - ajax_replace_url, rql_for_eid) + ajax_replace_url, rql_for_eid, simple_sgml_tag) from cubicweb.common.view import EntityView, AnyRsetView, EmptyRsetView from cubicweb.web.httpcache import MaxAgeHTTPCacheManager from cubicweb.web.views import vid_from_rset, linksearch_select_url, linksearch_match @@ -575,8 +575,7 @@ self.wview(self.item_vid, self.rset, row=row, col=col) def call(self): - """display a list of entities by calling their view - """ + """display a list of entities by calling their view""" self.w(u'\n' % self.req.encoding) self.w(u'<%s size="%s">\n' % (self.xml_root, len(self.rset))) for i in xrange(self.rset.rowcount): @@ -603,7 +602,7 @@ from base64 import b64encode value = '' % b64encode(value.getvalue()) elif isinstance(value, basestring): - value = value.replace('&', '&').replace('<', '<') + value = xml_escape(value) self.w(u' <%s>%s\n' % (attr, value, attr)) self.w(u'\n' % (entity.e_schema)) @@ -623,21 +622,25 @@ eschema = self.schema.eschema labels = self.columns_labels(False) w(u'\n' % self.req.encoding) - w(u'<%s>\n' % self.xml_root) + w(u'<%s query="%s">\n' % (self.xml_root, html_escape(rset.printable_rql()))) for rowindex, row in enumerate(self.rset): w(u' \n') for colindex, val in enumerate(row): etype = descr[rowindex][colindex] tag = labels[colindex] + attrs = {} + if '(' in tag: + attrs['expr'] = tag + tag = 'funccall' if val is not None and not eschema(etype).is_final(): + attrs['eid'] = val # csvrow.append(val) # val is eid in that case - content = self.view('textincontext', rset, - row=rowindex, col=colindex) - w(u' <%s eid="%s">%s\n' % (tag, val, html_escape(content), tag)) + val = self.view('textincontext', rset, + row=rowindex, col=colindex) else: - content = self.view('final', rset, displaytime=True, - row=rowindex, col=colindex) - w(u' <%s>%s\n' % (tag, html_escape(content), tag)) + val = self.view('final', rset, displaytime=True, + row=rowindex, col=colindex) + w(simple_sgml_tag(tag, val, **attrs)) w(u' \n') w(u'\n' % self.xml_root)