This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/8536 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 8fb39f641df098feef390709997234bc77e0bc57 Author: Dave Brondsema <dbronds...@slashdotmedia.com> AuthorDate: Fri Feb 9 11:23:44 2024 -0500 [#8536] use Markup's own interpolation --- Allura/allura/lib/app_globals.py | 15 +++++-------- Allura/allura/lib/search.py | 2 +- Allura/allura/lib/utils.py | 10 ++++----- Allura/allura/lib/widgets/forms.py | 27 ++++++++++------------- Allura/allura/tasks/mail_tasks.py | 2 +- Allura/allura/tests/test_globals.py | 1 + ForgeActivity/forgeactivity/templates/macros.html | 2 +- ForgeTracker/forgetracker/model/ticket.py | 2 +- ForgeTracker/forgetracker/widgets/ticket_form.py | 2 +- 9 files changed, 28 insertions(+), 35 deletions(-) diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py index eadabd9bd..9cc3d86bb 100644 --- a/Allura/allura/lib/app_globals.py +++ b/Allura/allura/lib/app_globals.py @@ -99,17 +99,14 @@ class ForgeMarkdown: # if text is too big, markdown can take a long time to process it, # so we return it as a plain text log.info('Text is too big. Skipping markdown processing') - escaped = html.escape(h.really_unicode(source)) - return Markup('<pre>%s</pre>' % escaped) + return Markup('<pre>{}</pre>').format(h.really_unicode(source)) try: return self.make_markdown_instance(**self.forge_ext_kwargs).convert(source) except Exception: log.info('Invalid markdown: %s Upwards trace is %s', source, ''.join(traceback.format_stack()), exc_info=True) - escaped = h.really_unicode(source) - escaped = html.escape(escaped) return Markup("""<p><strong>ERROR!</strong> The markdown supplied could not be parsed correctly. - Did you forget to surround a code snippet with "~~~~"?</p><pre>%s</pre>""" % escaped) + Did you forget to surround a code snippet with "~~~~"?</p><pre>%s</pre>""") % h.really_unicode(source) @LazyProperty def uncacheable_macro_regex(self): @@ -471,10 +468,8 @@ class Globals: lexer = pygments.lexers.get_lexer_by_name(lexer, encoding='chardet') if lexer is None or len(text) >= asint(config.get('scm.view.max_syntax_highlight_bytes', 500000)): - # no highlighting, but we should escape, encode, and wrap it in - # a <pre> - text = html.escape(text) - return Markup('<pre>' + text + '</pre>') + # no highlighting, but we should wrap it in a <pre> safely + return Markup('<pre>{}</pre>').format(text) else: return Markup(pygments.highlight(text, lexer, formatter)) @@ -686,7 +681,7 @@ class Icon: if tag == 'a': attrs['href'] = '#' attrs.update(kw) - attrs = ew._Jinja2Widget().j2_attrs(attrs) + attrs = ew._Jinja2Widget().j2_attrs(attrs) # this escapes them visible_title = '' if show_title: visible_title = f' {Markup.escape(title)}' diff --git a/Allura/allura/lib/search.py b/Allura/allura/lib/search.py index 27a29f738..388384798 100644 --- a/Allura/allura/lib/search.py +++ b/Allura/allura/lib/search.py @@ -409,4 +409,4 @@ def mapped_artifacts_from_index_ids(index_ids, model, objectid_id=True): map = {} for m in models: map[str(m._id)] = m - return map \ No newline at end of file + return map diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py index 683a7fcae..0cf6b8c3c 100644 --- a/Allura/allura/lib/utils.py +++ b/Allura/allura/lib/utils.py @@ -211,10 +211,10 @@ def chunked_iter(iterable, max_size): class AntiSpam: '''Helper class for bot-protecting forms''' - honey_field_template = string.Template('''<p class="$honey_class"> - <label for="$fld_id">You seem to have CSS turned off. + honey_field_template = '''<p class="{honey_class}"> + <label for="{fld_id}">You seem to have CSS turned off. Please don't fill out this field.</label><br> - <input id="$fld_id" name="$fld_name" type="text"><br></p>''') + <input id="{fld_id}" name="{fld_name}" type="text"><br></p>''' def __init__(self, request=None, num_honey=2, timestamp=None, spinner=None): self.num_honey = num_honey @@ -307,10 +307,10 @@ class AntiSpam: for fldno in range(self.num_honey): fld_name = self.enc('honey%d' % (fldno)) fld_id = self.enc('honey%d%d' % (self.counter, fldno)) - yield Markup(self.honey_field_template.substitute( + yield Markup(self.honey_field_template).format( honey_class=self.honey_class, fld_id=fld_id, - fld_name=fld_name)) + fld_name=fld_name) self.counter += 1 def make_spinner(self, timestamp=None): diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py index 5252819e1..134cd6f40 100644 --- a/Allura/allura/lib/widgets/forms.py +++ b/Allura/allura/lib/widgets/forms.py @@ -102,8 +102,7 @@ class ForgeForm(ew.SimpleForm): or ctx.get('label') or getattr(field, 'label', None) or ctx['name']) - html = '<label for="{}">{}</label>'.format(html_escape(ctx['id']), html_escape(label_text)) - return Markup(html) + return Markup('<label for="{}">{}</label>').format(ctx['id'], label_text) def context_for(self, field): ctx = super().context_for(field) @@ -115,9 +114,8 @@ class ForgeForm(ew.SimpleForm): ctx = self.context_for(field) display = field.display(**ctx) if ctx['errors'] and field.show_errors and not ignore_errors: - display = "{}<div class='error'>{}</div>".format(display, - ctx['errors']) - return Markup(display) + display += Markup("<div class='error'>{}</div>").format(ctx['errors']) + return display class ForgeFormResponsive(ForgeForm): @@ -852,18 +850,18 @@ class NeighborhoodOverviewForm(ForgeForm): def display_field(self, field, ignore_errors=False): if field.name == "css" and self.list_color_inputs: - display = '<table class="table_class">' + display = Markup('<table class="table_class">') ctx = self.context_for(field) for inp in self.color_inputs: additional_inputs = inp.get('additional', '') empty_val = False if inp['value'] is None or inp['value'] == '': empty_val = True - display += '<tr><td class="left"><label>%(label)s</label></td>' \ - '<td><input type="checkbox" name="%(ctx_name)s-%(inp_name)s-def" %(def_checked)s>default</td>' \ - '<td class="right"><div class="%(ctx_name)s-%(inp_name)s-inp"><table class="input_inner">' \ - '<tr><td><input type="text" class="%(inp_type)s" name="%(ctx_name)s-%(inp_name)s" ' \ - 'value="%(inp_value)s"></td><td>%(inp_additional)s</td></tr></table></div></td></tr>\n' % { + display += Markup('<tr><td class="left"><label>%(label)s</label></td>' + '<td><input type="checkbox" name="%(ctx_name)s-%(inp_name)s-def" %(def_checked)s>default</td>' + '<td class="right"><div class="%(ctx_name)s-%(inp_name)s-inp"><table class="input_inner">' + '<tr><td><input type="text" class="%(inp_type)s" name="%(ctx_name)s-%(inp_name)s" ' + 'value="%(inp_value)s"></td><td>%(inp_additional)s</td></tr></table></div></td></tr>\n') % { 'ctx_name': ctx['name'], 'inp_name': inp['name'], 'inp_value': inp['value'], @@ -871,13 +869,12 @@ class NeighborhoodOverviewForm(ForgeForm): 'inp_type': inp['type'], 'def_checked': 'checked="checked"' if empty_val else '', 'inp_additional': additional_inputs} - display += '</table>' + display += Markup('</table>') if ctx['errors'] and field.show_errors and not ignore_errors: - display = "{}<div class='error'>{}</div>".format(display, - ctx['errors']) + display += Markup("<div class='error'>{}</div>").format(ctx['errors']) - return Markup(display) + return display else: return super().display_field(field, ignore_errors) diff --git a/Allura/allura/tasks/mail_tasks.py b/Allura/allura/tasks/mail_tasks.py index 8aae497c4..dd16f7caa 100644 --- a/Allura/allura/tasks/mail_tasks.py +++ b/Allura/allura/tasks/mail_tasks.py @@ -48,7 +48,7 @@ def mail_meta_content(metalink): <meta itemprop="name" content="View"></meta> </div> <meta itemprop="description" content="View"></meta> - </div>""" % metalink) + </div>""") % metalink @task diff --git a/Allura/allura/tests/test_globals.py b/Allura/allura/tests/test_globals.py index 627c633e6..5240229ec 100644 --- a/Allura/allura/tests/test_globals.py +++ b/Allura/allura/tests/test_globals.py @@ -441,6 +441,7 @@ class Test(): text = 'a' * 40001 assert g.markdown.convert(text) == '<pre>%s</pre>' % text assert g.markdown_wiki.convert(text) == '<pre>%s</pre>' % text + assert g.markdown.convert('<b>' + text) == '<pre><b>%s</pre>' % text def test_markdown_basics(self): with h.push_context('test', 'wiki', neighborhood='Projects'): diff --git a/ForgeActivity/forgeactivity/templates/macros.html b/ForgeActivity/forgeactivity/templates/macros.html index 8b08adbf0..970da40d0 100644 --- a/ForgeActivity/forgeactivity/templates/macros.html +++ b/ForgeActivity/forgeactivity/templates/macros.html @@ -66,4 +66,4 @@ </ul> <a class="view-all" href="{{activity_app.url}}">View All</a> {% endif %} -{%- endmacro %} \ No newline at end of file +{%- endmacro %} diff --git a/ForgeTracker/forgetracker/model/ticket.py b/ForgeTracker/forgetracker/model/ticket.py index bc6910df8..de099a372 100644 --- a/ForgeTracker/forgetracker/model/ticket.py +++ b/ForgeTracker/forgetracker/model/ticket.py @@ -679,7 +679,7 @@ class Ticket(VersionedArtifact, ActivityObject, VotableArtifact): def link_text(self): text = super().link_text() if self.is_closed: - return markupsafe.Markup('<s>') + text + markupsafe.Markup('</s>') + return markupsafe.Markup('<s>{}</s>').format(text) return text @property diff --git a/ForgeTracker/forgetracker/widgets/ticket_form.py b/ForgeTracker/forgetracker/widgets/ticket_form.py index 1781eb804..7b960c1f9 100644 --- a/ForgeTracker/forgetracker/widgets/ticket_form.py +++ b/ForgeTracker/forgetracker/widgets/ticket_form.py @@ -79,7 +79,7 @@ class GenericTicketForm(ew.SimpleForm): display = field.display(**ctx) if ctx['errors'] and field.show_errors and not ignore_errors: - display += Markup("<div class='error'>") + ctx['errors'] + Markup("</div>") + display += Markup("<div class='error'>{}</div>").format(ctx['errors']) return display def _add_current_value_to_user_field(self, field, user):