# HG changeset patch # User Julien Cristau # Date 1412263109 -7200 # Node ID bc7c3b0f439b6b75f27a4493b8b052f2f4ad27ba # Parent 962324edd6de859da1094aa14f98274cb8ea5ba6 [web] stop accepting the magic __message form parameter This has been deprecated for a while, and replaced by _cwmsgid, which doesn't allow arbitrary content. diff -r 962324edd6de -r bc7c3b0f439b web/form.py --- a/web/form.py Thu Oct 02 16:34:38 2014 +0200 +++ b/web/form.py Thu Oct 02 17:18:29 2014 +0200 @@ -83,7 +83,7 @@ domid = 'form' copy_nav_params = False control_fields = set( ('__form_id', '__errorurl', '__domid', - '__redirectpath', '_cwmsgid', '__message', + '__redirectpath', '_cwmsgid', ) ) def __init__(self, req, rset=None, row=None, col=None, diff -r 962324edd6de -r bc7c3b0f439b web/request.py --- a/web/request.py Thu Oct 02 16:34:38 2014 +0200 +++ b/web/request.py Thu Oct 02 17:18:29 2014 +0200 @@ -237,7 +237,6 @@ no_script_form_params = set(('vid', 'etype', 'vtitle', 'title', - '__message', '__redirectvid', '__redirectrql')) def setup_params(self, params): @@ -260,14 +259,6 @@ val = self.no_script_form_param(param, val) if param == '_cwmsgid': self.set_message_id(val) - elif param == '__message': - warn('[3.13] __message in request parameter is deprecated (may ' - 'only be given to .build_url). Seeing this message usualy ' - 'means your application hold some
where you should ' - 'replace use of __message hidden input by form.set_message, ' - 'so new _cwmsgid mechanism is properly used', - DeprecationWarning) - self.set_message(val) else: self.form[param] = val diff -r 962324edd6de -r bc7c3b0f439b web/test/unittest_application.py --- a/web/test/unittest_application.py Thu Oct 02 16:34:38 2014 +0200 +++ b/web/test/unittest_application.py Thu Oct 02 17:18:29 2014 +0200 @@ -281,8 +281,7 @@ """test against current script injection""" injected = 'toto' cleaned = 'toto' - for kwargs in ({'__message': injected}, - {'vid': injected}, + for kwargs in ({'vid': injected}, {'vtitle': injected}, ): yield self._test_cleaned, kwargs, injected, cleaned diff -r 962324edd6de -r bc7c3b0f439b web/views/basecomponents.py --- a/web/views/basecomponents.py Thu Oct 02 16:34:38 2014 +0200 +++ b/web/views/basecomponents.py Thu Oct 02 17:18:29 2014 +0200 @@ -182,8 +182,8 @@ class ApplicationMessage(component.Component): - """display messages given using the __message parameter into a special div - section + """display messages given using the __message/_cwmsgid parameter into a + special div section """ __select__ = yes() __regid__ = 'applmessages' diff -r 962324edd6de -r bc7c3b0f439b wsgi/request.py --- a/wsgi/request.py Thu Oct 02 16:34:38 2014 +0200 +++ b/wsgi/request.py Thu Oct 02 17:18:29 2014 +0200 @@ -162,13 +162,5 @@ val = self.no_script_form_param(param, val) if param == '_cwmsgid': self.set_message_id(val) - elif param == '__message': - warn('[3.13] __message in request parameter is deprecated (may ' - 'only be given to .build_url). Seeing this message usualy ' - 'means your application hold some where you should ' - 'replace use of __message hidden input by form.set_message, ' - 'so new _cwmsgid mechanism is properly used', - DeprecationWarning) - self.set_message(val) else: self.form[param] = val