[web] stop accepting the magic __message form parameter
This has been deprecated for a while, and replaced by _cwmsgid, which
doesn't allow arbitrary content.
--- a/web/form.py Thu Oct 02 16:34:38 2014 +0200
+++ b/web/form.py Thu Oct 02 17:18:29 2014 +0200
@@ -83,7 +83,7 @@
domid = 'form'
copy_nav_params = False
control_fields = set( ('__form_id', '__errorurl', '__domid',
- '__redirectpath', '_cwmsgid', '__message',
+ '__redirectpath', '_cwmsgid',
) )
def __init__(self, req, rset=None, row=None, col=None,
--- a/web/request.py Thu Oct 02 16:34:38 2014 +0200
+++ b/web/request.py Thu Oct 02 17:18:29 2014 +0200
@@ -237,7 +237,6 @@
no_script_form_params = set(('vid',
'etype',
'vtitle', 'title',
- '__message',
'__redirectvid', '__redirectrql'))
def setup_params(self, params):
@@ -260,14 +259,6 @@
val = self.no_script_form_param(param, val)
if param == '_cwmsgid':
self.set_message_id(val)
- elif param == '__message':
- warn('[3.13] __message in request parameter is deprecated (may '
- 'only be given to .build_url). Seeing this message usualy '
- 'means your application hold some <form> where you should '
- 'replace use of __message hidden input by form.set_message, '
- 'so new _cwmsgid mechanism is properly used',
- DeprecationWarning)
- self.set_message(val)
else:
self.form[param] = val
--- a/web/test/unittest_application.py Thu Oct 02 16:34:38 2014 +0200
+++ b/web/test/unittest_application.py Thu Oct 02 17:18:29 2014 +0200
@@ -281,8 +281,7 @@
"""test against current script injection"""
injected = '<i>toto</i>'
cleaned = 'toto'
- for kwargs in ({'__message': injected},
- {'vid': injected},
+ for kwargs in ({'vid': injected},
{'vtitle': injected},
):
yield self._test_cleaned, kwargs, injected, cleaned
--- a/web/views/basecomponents.py Thu Oct 02 16:34:38 2014 +0200
+++ b/web/views/basecomponents.py Thu Oct 02 17:18:29 2014 +0200
@@ -182,8 +182,8 @@
class ApplicationMessage(component.Component):
- """display messages given using the __message parameter into a special div
- section
+ """display messages given using the __message/_cwmsgid parameter into a
+ special div section
"""
__select__ = yes()
__regid__ = 'applmessages'
--- a/wsgi/request.py Thu Oct 02 16:34:38 2014 +0200
+++ b/wsgi/request.py Thu Oct 02 17:18:29 2014 +0200
@@ -162,13 +162,5 @@
val = self.no_script_form_param(param, val)
if param == '_cwmsgid':
self.set_message_id(val)
- elif param == '__message':
- warn('[3.13] __message in request parameter is deprecated (may '
- 'only be given to .build_url). Seeing this message usualy '
- 'means your application hold some <form> where you should '
- 'replace use of __message hidden input by form.set_message, '
- 'so new _cwmsgid mechanism is properly used',
- DeprecationWarning)
- self.set_message(val)
else:
self.form[param] = val