1
0
mirror of https://github.com/kakwa/ldapcherry synced 2024-11-24 18:24:31 +01:00

remove the double escaping.

Now the escaping is done by in the templates.
We need to remove the previous escaping done by hand in the code.
Otherwise, we end-up with double escaping and funky displaying of
fields.
This commit is contained in:
kakwa 2019-02-12 21:18:45 +01:00
parent 0cf5483785
commit bbafafae60

View File

@ -34,10 +34,8 @@ from mako import exceptions
if sys.version < '3': if sys.version < '3':
from sets import Set as set from sets import Set as set
from urllib import quote_plus from urllib import quote_plus
from cgi import escape as html_escape
else: else:
from urllib.parse import quote_plus from urllib.parse import quote_plus
from html import escape as html_escape
SESSION_KEY = '_cp_username' SESSION_KEY = '_cp_username'
@ -62,36 +60,6 @@ class LdapCherry(object):
traceback=True traceback=True
) )
def _escape_list(self, data):
ret = []
for i in data:
ret.append(html_escape(i, True))
return ret
def _escape_dict(self, data):
for d in data:
if isinstance(data[d], list):
data[d] = self._escape_list(data[d])
elif isinstance(data[d], dict):
data[d] = self._escape_dict(data[d])
elif isinstance(data[d], set):
data[d] = set(self._escape_list(data[d]))
else:
data[d] = html_escape(data[d], True)
return data
def _escape(self, data, dtype):
if data is None:
return None
elif dtype == 'search_list':
for d in data:
data[d] = self._escape_dict(data[d])
elif dtype == 'attr_list':
data = self._escape_dict(data)
elif dtype == 'lonely_groups':
data = self._escape_dict(data)
return data
def _get_param(self, section, key, config, default=None): def _get_param(self, section, key, config, default=None):
""" Get configuration parameter "key" from config """ Get configuration parameter "key" from config
@str section: the section of the config file @str section: the section of the config file
@ -995,7 +963,7 @@ class LdapCherry(object):
return self.temp['index.tmpl'].render( return self.temp['index.tmpl'].render(
is_admin=is_admin, is_admin=is_admin,
attrs_list=attrs_list, attrs_list=attrs_list,
searchresult=self._escape(user_attrs, 'attr_list'), searchresult=user_attrs,
notifications=self._empty_notification(), notifications=self._empty_notification(),
) )
@ -1011,7 +979,7 @@ class LdapCherry(object):
res = None res = None
attrs_list = self.attributes.get_search_attributes() attrs_list = self.attributes.get_search_attributes()
return self.temp['searchuser.tmpl'].render( return self.temp['searchuser.tmpl'].render(
searchresult=self._escape(res, 'search_list'), searchresult=res,
attrs_list=attrs_list, attrs_list=attrs_list,
is_admin=is_admin, is_admin=is_admin,
custom_js=self.custom_js, custom_js=self.custom_js,
@ -1048,7 +1016,7 @@ class LdapCherry(object):
res = None res = None
attrs_list = self.attributes.get_search_attributes() attrs_list = self.attributes.get_search_attributes()
return self.temp['searchadmin.tmpl'].render( return self.temp['searchadmin.tmpl'].render(
searchresult=self._escape(res, 'search_list'), searchresult=res,
attrs_list=attrs_list, attrs_list=attrs_list,
is_admin=is_admin, is_admin=is_admin,
custom_js=self.custom_js, custom_js=self.custom_js,
@ -1169,7 +1137,7 @@ class LdapCherry(object):
try: try:
form = self.temp['form.tmpl'].render( form = self.temp['form.tmpl'].render(
attributes=self.attributes.attributes, attributes=self.attributes.attributes,
values=self._escape(user_attrs, 'attr_list'), values=user_attrs,
modify=True, modify=True,
keyattr=key, keyattr=key,
autofill=False autofill=False
@ -1187,10 +1155,7 @@ class LdapCherry(object):
form=form, form=form,
roles=roles, roles=roles,
is_admin=is_admin, is_admin=is_admin,
standalone_groups=self._escape( standalone_groups=standalone_groups,
standalone_groups,
'lonely_groups'
),
backends_display_names=self.backends_display_names, backends_display_names=self.backends_display_names,
custom_js=self.custom_js, custom_js=self.custom_js,
notifications=self._empty_notification(), notifications=self._empty_notification(),
@ -1245,7 +1210,7 @@ class LdapCherry(object):
form = self.temp['form.tmpl'].render( form = self.temp['form.tmpl'].render(
attributes=self.attributes.get_selfattributes(), attributes=self.attributes.get_selfattributes(),
values=self._escape(user_attrs, 'attr_list'), values=user_attrs,
modify=True, modify=True,
autofill=False autofill=False
) )