[entities] properly escape in EmailAddress.printable_value when format is html. Closes #3064025
--- a/entities/lib.py Wed Jul 31 21:59:13 2013 +0200
+++ b/entities/lib.py Thu Aug 01 15:51:22 2013 +0200
@@ -1,4 +1,4 @@
-# copyright 2003-2011 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# copyright 2003-2013 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
#
# This file is part of CubicWeb.
@@ -15,14 +15,15 @@
#
# You should have received a copy of the GNU Lesser General Public License along
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
-"""entity classes for optional library entities
+"""entity classes for optional library entities"""
-"""
__docformat__ = "restructuredtext en"
from urlparse import urlsplit, urlunsplit
from datetime import datetime
+from logilab.mtconverter import xml_escape
+
from cubicweb import UnknownProperty
from cubicweb.entity import _marker
from cubicweb.entities import AnyEntity, fetch_config
@@ -81,7 +82,10 @@
format='text/html'):
"""overriden to return displayable address when necessary"""
if attr == 'address':
- return self.display_address()
+ address = self.display_address()
+ if format == 'text/html':
+ address = xml_escape(address)
+ return address
return super(EmailAddress, self).printable_value(attr, value, attrtype, format)
--- a/entities/test/unittest_base.py Wed Jul 31 21:59:13 2013 +0200
+++ b/entities/test/unittest_base.py Thu Aug 01 15:51:22 2013 +0200
@@ -82,12 +82,19 @@
self.assertEqual(email.display_address(), 'maarten.ter.huurne@philips.com')
self.assertEqual(email.printable_value('address'), 'maarten.ter.huurne@philips.com')
self.vreg.config.global_set_option('mangle-emails', True)
- self.assertEqual(email.display_address(), 'maarten.ter.huurne at philips dot com')
- self.assertEqual(email.printable_value('address'), 'maarten.ter.huurne at philips dot com')
- email = self.execute('INSERT EmailAddress X: X address "syt"').get_entity(0, 0)
- self.assertEqual(email.display_address(), 'syt')
- self.assertEqual(email.printable_value('address'), 'syt')
+ try:
+ self.assertEqual(email.display_address(), 'maarten.ter.huurne at philips dot com')
+ self.assertEqual(email.printable_value('address'), 'maarten.ter.huurne at philips dot com')
+ email = self.execute('INSERT EmailAddress X: X address "syt"').get_entity(0, 0)
+ self.assertEqual(email.display_address(), 'syt')
+ self.assertEqual(email.printable_value('address'), 'syt')
+ finally:
+ self.vreg.config.global_set_option('mangle-emails', False)
+ def test_printable_value_escape(self):
+ email = self.execute('INSERT EmailAddress X: X address "maarten&ter@philips.com"').get_entity(0, 0)
+ self.assertEqual(email.printable_value('address'), 'maarten&ter@philips.com')
+ self.assertEqual(email.printable_value('address', format='text/plain'), 'maarten&ter@philips.com')
class CWUserTC(BaseEntityTC):