upstream/mercurial-mirror Commit - r18750:c9d923f5

minirst: CGI escape strings prior to embedding it in the HTML

Dan Villiom Podlaski Christiansen -

r18750:c9d923f5 default

parent child

mercurial/minirst.py

0 +19 -14

             import util, encoding
             from i18n import _
+            import cgi
             def section(s):
                 return "%s\n%s\n\n" % (s, "\"" * encoding.colwidth(s))
                 headernest = ''
                 listnest = []
+                def escape(s):
+                    return cgi.escape(s, True)
                 def openlist(start, level):
                     if not listnest or listnest[-1][0] != start:
                         listnest.append((start, level))
                     lines = b['lines']
                     if btype == 'admonition':
-                        admonition = _admonitiontitles[b['admonitiontitle']]
+                        admonition = escape(_admonitiontitles[b['admonitiontitle']])
-                        text = ' '.join(map(str.strip, lines))
+                        text = escape(' '.join(map(str.strip, lines)))
                         out.append('<p>\n<b>%s</b> %s\n</p>\n' % (admonition, text))
                     elif btype == 'paragraph':
-                        out.append('<p>\n%s\n</p>\n' % '\n'.join(lines))
+                        out.append('<p>\n%s\n</p>\n' % escape('\n'.join(lines)))
                     elif btype == 'margin':
                         pass
                     elif btype == 'literal':
-                        out.append('<pre>\n%s\n</pre>\n' % '\n'.join(lines))
+                        out.append('<pre>\n%s\n</pre>\n' % escape('\n'.join(lines)))
                     elif btype == 'section':
                         i = b['underline']
                         if i not in headernest:
                             headernest += i
                         level = headernest.index(i) + 1
-                        out.append('<h%d>%s</h%d>\n' % (level, lines[0], level))
+                        out.append('<h%d>%s</h%d>\n' % (level, escape(lines[0]), level))
                     elif btype == 'table':
                         table = b['table']
                         t = []
                         for row in table:
                             l = []
-                            for v in zip(row):
+                            for v in row:
-                                l.append('<td>%s</td>' % v)
+                                l.append('<td>%s</td>' % escape(v))
                             t.append(' <tr>%s</tr>\n' % ''.join(l))
                         out.append('<table>\n%s</table>\n' % ''.join(t))
                     elif btype == 'definition':
                         openlist('dl', level)
-                        term = lines[0]
+                        term = escape(lines[0])
-                        text = ' '.join(map(str.strip, lines[1:]))
+                        text = escape(' '.join(map(str.strip, lines[1:])))
                         out.append(' <dt>%s\n <dd>%s\n' % (term, text))
                     elif btype == 'bullet':
                         bullet, head = lines[0].split(' ', 1)
                             openlist('ul', level)
                         else:
                             openlist('ol', level)
-                        out.append(' <li> %s\n' % ' '.join([head] + lines[1:]))
+                        out.append(' <li> %s\n' % escape(' '.join([head] + lines[1:])))
                     elif btype == 'field':
                         openlist('dl', level)
-                        key = b['key']
+                        key = escape(b['key'])
-                        text = ' '.join(map(str.strip, lines))
+                        text = escape(' '.join(map(str.strip, lines)))
                         out.append(' <dt>%s\n <dd>%s\n' % (key, text))
                     elif btype == 'option':
                         openlist('dl', level)
-                        opt = b['optstr']
+                        opt = escape(b['optstr'])
-                        desc = ' '.join(map(str.strip, lines))
+                        desc = escape(' '.join(map(str.strip, lines)))
                         out.append(' <dt>%s\n <dd>%s\n' % (opt, desc))
                     # close lists if indent level of next block is lower

tests/test-help.t

0 +8 -8

               </p>
               <p>
               The files will be added to the repository at the next commit. To
-              undo an add before that, see "hg forget".
+              undo an add before that, see &quot;hg forget&quot;.
               </p>
               <p>
               If no names are given, add all files to the repository.
               </p>
               <p>
               This command schedules the files to be removed at the next commit.
-              To undo a remove before that, see "hg revert". To undo added
+              To undo a remove before that, see &quot;hg revert&quot;. To undo added
-              files, see "hg forget".
+              files, see &quot;hg forget&quot;.
               </p>
               <p>
               Returns 0 on success, 1 if any warnings encountered.
               Any other string is treated as a bookmark, tag, or branch name. A
               bookmark is a movable pointer to a revision. A tag is a permanent name
               associated with a revision. A branch name denotes the tipmost revision
-              of that branch. Bookmark, tag, and branch names must not contain the ":"
+              of that branch. Bookmark, tag, and branch names must not contain the &quot;:&quot;
               character.
               </p>
               <p>
-              The reserved name "tip" always identifies the most recent revision.
+              The reserved name &quot;tip&quot; always identifies the most recent revision.
               </p>
               <p>
-              The reserved name "null" indicates the null revision. This is the
+              The reserved name &quot;null&quot; indicates the null revision. This is the
               revision of an empty repository, and the parent of revision 0.
               </p>
               <p>
-              The reserved name "." indicates the working directory parent. If no
+              The reserved name &quot;.&quot; indicates the working directory parent. If no
               working directory is checked out, it is equivalent to null. If an
-              uncommitted merge is in progress, "." is the revision of the first
+              uncommitted merge is in progress, &quot;.&quot; is the revision of the first
               parent.
               </p>

tests/test-minirst.py.out

0 +2 -2

             html format:
             ----------------------------------------------------------------------
             <p>
-            Please see "hg add".
+            Please see &quot;hg add&quot;.
             </p>
             ----------------------------------------------------------------------
             <h1>Title</h1>
             <h2>Section</h2>
             <h3>Subsection</h3>
-            <h2>Markup: "foo" and "hg help"</h2>
+            <h2>Markup: &quot;foo&quot; and &quot;hg help&quot;</h2>
             ----------------------------------------------------------------------
             == admonitions ==

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages