[entities] properly escape in EmailAddress.printable_value when format is html. Closes #3064025 stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Thu, 01 Aug 2013 15:51:22 +0200
branchstable
changeset 9211 d45d66d94baa
parent 9210 fdd74b8dace8
child 9212 0d346a0a1451
[entities] properly escape in EmailAddress.printable_value when format is html. Closes #3064025
entities/lib.py
entities/test/unittest_base.py
--- a/entities/lib.py	Wed Jul 31 21:59:13 2013 +0200
+++ b/entities/lib.py	Thu Aug 01 15:51:22 2013 +0200
@@ -1,4 +1,4 @@
-# copyright 2003-2011 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# copyright 2003-2013 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
 # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
 #
 # This file is part of CubicWeb.
@@ -15,14 +15,15 @@
 #
 # You should have received a copy of the GNU Lesser General Public License along
 # with CubicWeb.  If not, see <http://www.gnu.org/licenses/>.
-"""entity classes for optional library entities
+"""entity classes for optional library entities"""
 
-"""
 __docformat__ = "restructuredtext en"
 
 from urlparse import urlsplit, urlunsplit
 from datetime import datetime
 
+from logilab.mtconverter import xml_escape
+
 from cubicweb import UnknownProperty
 from cubicweb.entity import _marker
 from cubicweb.entities import AnyEntity, fetch_config
@@ -81,7 +82,10 @@
                         format='text/html'):
         """overriden to return displayable address when necessary"""
         if attr == 'address':
-            return self.display_address()
+            address = self.display_address()
+            if format == 'text/html':
+                address = xml_escape(address)
+            return address
         return super(EmailAddress, self).printable_value(attr, value, attrtype, format)
 
 
--- a/entities/test/unittest_base.py	Wed Jul 31 21:59:13 2013 +0200
+++ b/entities/test/unittest_base.py	Thu Aug 01 15:51:22 2013 +0200
@@ -82,12 +82,19 @@
         self.assertEqual(email.display_address(), 'maarten.ter.huurne@philips.com')
         self.assertEqual(email.printable_value('address'), 'maarten.ter.huurne@philips.com')
         self.vreg.config.global_set_option('mangle-emails', True)
-        self.assertEqual(email.display_address(), 'maarten.ter.huurne at philips dot com')
-        self.assertEqual(email.printable_value('address'), 'maarten.ter.huurne at philips dot com')
-        email = self.execute('INSERT EmailAddress X: X address "syt"').get_entity(0, 0)
-        self.assertEqual(email.display_address(), 'syt')
-        self.assertEqual(email.printable_value('address'), 'syt')
+        try:
+            self.assertEqual(email.display_address(), 'maarten.ter.huurne at philips dot com')
+            self.assertEqual(email.printable_value('address'), 'maarten.ter.huurne at philips dot com')
+            email = self.execute('INSERT EmailAddress X: X address "syt"').get_entity(0, 0)
+            self.assertEqual(email.display_address(), 'syt')
+            self.assertEqual(email.printable_value('address'), 'syt')
+        finally:
+            self.vreg.config.global_set_option('mangle-emails', False)
 
+    def test_printable_value_escape(self):
+        email = self.execute('INSERT EmailAddress X: X address "maarten&ter@philips.com"').get_entity(0, 0)
+        self.assertEqual(email.printable_value('address'), 'maarten&amp;ter@philips.com')
+        self.assertEqual(email.printable_value('address', format='text/plain'), 'maarten&ter@philips.com')
 
 class CWUserTC(BaseEntityTC):