This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 8fb39f641df098feef390709997234bc77e0bc57
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Fri Feb 9 11:23:44 2024 -0500
[#8536] use Markup's own interpolation
---
Allura/allura/lib/app_globals.py | 15 +++++--------
Allura/allura/lib/search.py | 2 +-
Allura/allura/lib/utils.py | 10 ++++-----
Allura/allura/lib/widgets/forms.py | 27 ++++++++++-------------
Allura/allura/tasks/mail_tasks.py | 2 +-
Allura/allura/tests/test_globals.py | 1 +
ForgeActivity/forgeactivity/templates/macros.html | 2 +-
ForgeTracker/forgetracker/model/ticket.py | 2 +-
ForgeTracker/forgetracker/widgets/ticket_form.py | 2 +-
9 files changed, 28 insertions(+), 35 deletions(-)
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index eadabd9bd..9cc3d86bb 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -99,17 +99,14 @@ class ForgeMarkdown:
# if text is too big, markdown can take a long time to process it,
# so we return it as a plain text
log.info('Text is too big. Skipping markdown processing')
- escaped = html.escape(h.really_unicode(source))
- return Markup('<pre>%s</pre>' % escaped)
+ return Markup('<pre>{}</pre>').format(h.really_unicode(source))
try:
return
self.make_markdown_instance(**self.forge_ext_kwargs).convert(source)
except Exception:
log.info('Invalid markdown: %s Upwards trace is %s', source,
''.join(traceback.format_stack()), exc_info=True)
- escaped = h.really_unicode(source)
- escaped = html.escape(escaped)
return Markup("""<p><strong>ERROR!</strong> The markdown supplied
could not be parsed correctly.
- Did you forget to surround a code snippet with
"~~~~"?</p><pre>%s</pre>""" % escaped)
+ Did you forget to surround a code snippet with
"~~~~"?</p><pre>%s</pre>""") % h.really_unicode(source)
@LazyProperty
def uncacheable_macro_regex(self):
@@ -471,10 +468,8 @@ class Globals:
lexer = pygments.lexers.get_lexer_by_name(lexer,
encoding='chardet')
if lexer is None or len(text) >=
asint(config.get('scm.view.max_syntax_highlight_bytes', 500000)):
- # no highlighting, but we should escape, encode, and wrap it in
- # a <pre>
- text = html.escape(text)
- return Markup('<pre>' + text + '</pre>')
+ # no highlighting, but we should wrap it in a <pre> safely
+ return Markup('<pre>{}</pre>').format(text)
else:
return Markup(pygments.highlight(text, lexer, formatter))
@@ -686,7 +681,7 @@ class Icon:
if tag == 'a':
attrs['href'] = '#'
attrs.update(kw)
- attrs = ew._Jinja2Widget().j2_attrs(attrs)
+ attrs = ew._Jinja2Widget().j2_attrs(attrs) # this escapes them
visible_title = ''
if show_title:
visible_title = f' {Markup.escape(title)}'
diff --git a/Allura/allura/lib/search.py b/Allura/allura/lib/search.py
index 27a29f738..388384798 100644
--- a/Allura/allura/lib/search.py
+++ b/Allura/allura/lib/search.py
@@ -409,4 +409,4 @@ def mapped_artifacts_from_index_ids(index_ids, model,
objectid_id=True):
map = {}
for m in models:
map[str(m._id)] = m
- return map
\ No newline at end of file
+ return map
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 683a7fcae..0cf6b8c3c 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -211,10 +211,10 @@ def chunked_iter(iterable, max_size):
class AntiSpam:
'''Helper class for bot-protecting forms'''
- honey_field_template = string.Template('''<p class="$honey_class">
- <label for="$fld_id">You seem to have CSS turned off.
+ honey_field_template = '''<p class="{honey_class}">
+ <label for="{fld_id}">You seem to have CSS turned off.
Please don't fill out this field.</label><br>
- <input id="$fld_id" name="$fld_name" type="text"><br></p>''')
+ <input id="{fld_id}" name="{fld_name}" type="text"><br></p>'''
def __init__(self, request=None, num_honey=2, timestamp=None,
spinner=None):
self.num_honey = num_honey
@@ -307,10 +307,10 @@ class AntiSpam:
for fldno in range(self.num_honey):
fld_name = self.enc('honey%d' % (fldno))
fld_id = self.enc('honey%d%d' % (self.counter, fldno))
- yield Markup(self.honey_field_template.substitute(
+ yield Markup(self.honey_field_template).format(
honey_class=self.honey_class,
fld_id=fld_id,
- fld_name=fld_name))
+ fld_name=fld_name)
self.counter += 1
def make_spinner(self, timestamp=None):
diff --git a/Allura/allura/lib/widgets/forms.py
b/Allura/allura/lib/widgets/forms.py
index 5252819e1..134cd6f40 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -102,8 +102,7 @@ class ForgeForm(ew.SimpleForm):
or ctx.get('label')
or getattr(field, 'label', None)
or ctx['name'])
- html = '<label for="{}">{}</label>'.format(html_escape(ctx['id']),
html_escape(label_text))
- return Markup(html)
+ return Markup('<label for="{}">{}</label>').format(ctx['id'],
label_text)
def context_for(self, field):
ctx = super().context_for(field)
@@ -115,9 +114,8 @@ class ForgeForm(ew.SimpleForm):
ctx = self.context_for(field)
display = field.display(**ctx)
if ctx['errors'] and field.show_errors and not ignore_errors:
- display = "{}<div class='error'>{}</div>".format(display,
- ctx['errors'])
- return Markup(display)
+ display += Markup("<div
class='error'>{}</div>").format(ctx['errors'])
+ return display
class ForgeFormResponsive(ForgeForm):
@@ -852,18 +850,18 @@ class NeighborhoodOverviewForm(ForgeForm):
def display_field(self, field, ignore_errors=False):
if field.name == "css" and self.list_color_inputs:
- display = '<table class="table_class">'
+ display = Markup('<table class="table_class">')
ctx = self.context_for(field)
for inp in self.color_inputs:
additional_inputs = inp.get('additional', '')
empty_val = False
if inp['value'] is None or inp['value'] == '':
empty_val = True
- display += '<tr><td
class="left"><label>%(label)s</label></td>' \
- '<td><input type="checkbox"
name="%(ctx_name)s-%(inp_name)s-def" %(def_checked)s>default</td>' \
- '<td class="right"><div
class="%(ctx_name)s-%(inp_name)s-inp"><table class="input_inner">' \
- '<tr><td><input type="text" class="%(inp_type)s"
name="%(ctx_name)s-%(inp_name)s" ' \
-
'value="%(inp_value)s"></td><td>%(inp_additional)s</td></tr></table></div></td></tr>\n'
% {
+ display += Markup('<tr><td
class="left"><label>%(label)s</label></td>'
+ '<td><input type="checkbox"
name="%(ctx_name)s-%(inp_name)s-def" %(def_checked)s>default</td>'
+ '<td class="right"><div
class="%(ctx_name)s-%(inp_name)s-inp"><table class="input_inner">'
+ '<tr><td><input type="text" class="%(inp_type)s"
name="%(ctx_name)s-%(inp_name)s" '
+
'value="%(inp_value)s"></td><td>%(inp_additional)s</td></tr></table></div></td></tr>\n')
% {
'ctx_name': ctx['name'],
'inp_name': inp['name'],
'inp_value': inp['value'],
@@ -871,13 +869,12 @@ class NeighborhoodOverviewForm(ForgeForm):
'inp_type': inp['type'],
'def_checked': 'checked="checked"' if empty_val
else '',
'inp_additional': additional_inputs}
- display += '</table>'
+ display += Markup('</table>')
if ctx['errors'] and field.show_errors and not ignore_errors:
- display = "{}<div class='error'>{}</div>".format(display,
- ctx['errors'])
+ display += Markup("<div
class='error'>{}</div>").format(ctx['errors'])
- return Markup(display)
+ return display
else:
return super().display_field(field, ignore_errors)
diff --git a/Allura/allura/tasks/mail_tasks.py
b/Allura/allura/tasks/mail_tasks.py
index 8aae497c4..dd16f7caa 100644
--- a/Allura/allura/tasks/mail_tasks.py
+++ b/Allura/allura/tasks/mail_tasks.py
@@ -48,7 +48,7 @@ def mail_meta_content(metalink):
<meta itemprop="name" content="View"></meta>
</div>
<meta itemprop="description" content="View"></meta>
- </div>""" % metalink)
+ </div>""") % metalink
@task
diff --git a/Allura/allura/tests/test_globals.py
b/Allura/allura/tests/test_globals.py
index 627c633e6..5240229ec 100644
--- a/Allura/allura/tests/test_globals.py
+++ b/Allura/allura/tests/test_globals.py
@@ -441,6 +441,7 @@ class Test():
text = 'a' * 40001
assert g.markdown.convert(text) == '<pre>%s</pre>' % text
assert g.markdown_wiki.convert(text) == '<pre>%s</pre>' % text
+ assert g.markdown.convert('<b>' + text) == '<pre><b>%s</pre>' %
text
def test_markdown_basics(self):
with h.push_context('test', 'wiki', neighborhood='Projects'):
diff --git a/ForgeActivity/forgeactivity/templates/macros.html
b/ForgeActivity/forgeactivity/templates/macros.html
index 8b08adbf0..970da40d0 100644
--- a/ForgeActivity/forgeactivity/templates/macros.html
+++ b/ForgeActivity/forgeactivity/templates/macros.html
@@ -66,4 +66,4 @@
</ul>
<a class="view-all" href="{{activity_app.url}}">View All</a>
{% endif %}
-{%- endmacro %}
\ No newline at end of file
+{%- endmacro %}
diff --git a/ForgeTracker/forgetracker/model/ticket.py
b/ForgeTracker/forgetracker/model/ticket.py
index bc6910df8..de099a372 100644
--- a/ForgeTracker/forgetracker/model/ticket.py
+++ b/ForgeTracker/forgetracker/model/ticket.py
@@ -679,7 +679,7 @@ class Ticket(VersionedArtifact, ActivityObject,
VotableArtifact):
def link_text(self):
text = super().link_text()
if self.is_closed:
- return markupsafe.Markup('<s>') + text + markupsafe.Markup('</s>')
+ return markupsafe.Markup('<s>{}</s>').format(text)
return text
@property
diff --git a/ForgeTracker/forgetracker/widgets/ticket_form.py
b/ForgeTracker/forgetracker/widgets/ticket_form.py
index 1781eb804..7b960c1f9 100644
--- a/ForgeTracker/forgetracker/widgets/ticket_form.py
+++ b/ForgeTracker/forgetracker/widgets/ticket_form.py
@@ -79,7 +79,7 @@ class GenericTicketForm(ew.SimpleForm):
display = field.display(**ctx)
if ctx['errors'] and field.show_errors and not ignore_errors:
- display += Markup("<div class='error'>") + ctx['errors'] +
Markup("</div>")
+ display += Markup("<div
class='error'>{}</div>").format(ctx['errors'])
return display
def _add_current_value_to_user_field(self, field, user):
