[rhythmbox] context: perform HTML escaping for all data we feed to webkit
- From: Jonathan Matthew <jmatthew src gnome org>
- To: svn-commits-list gnome org
- Cc:
- Subject: [rhythmbox] context: perform HTML escaping for all data we feed to webkit
- Date: Sun, 1 Nov 2009 06:01:19 +0000 (UTC)
commit 41b53611b599cfa13e8124b40e4759d94703e08c
Author: Jonathan Matthew <jonathan fibula d14n org>
Date: Sun Nov 1 11:48:22 2009 +1000
context: perform HTML escaping for all data we feed to webkit
Artist biographies are not escaped as they're actually HTML fragments.
plugins/context/context/AlbumTab.py | 1 +
plugins/context/context/ArtistTab.py | 1 +
plugins/context/context/LastFM.py | 2 +-
plugins/context/tmpl/album-tmpl.html | 20 ++++++++++----------
plugins/context/tmpl/artist-tmpl.html | 9 +++++----
plugins/context/tmpl/loading.html | 2 +-
plugins/context/tmpl/lyrics-tmpl.html | 5 ++++-
7 files changed, 23 insertions(+), 17 deletions(-)
---
diff --git a/plugins/context/context/AlbumTab.py b/plugins/context/context/AlbumTab.py
index 8de000b..8748d28 100644
--- a/plugins/context/context/AlbumTab.py
+++ b/plugins/context/context/AlbumTab.py
@@ -28,6 +28,7 @@ import rb, rhythmdb
import gtk, gobject
import webkit
import os
+import cgi
from mako.template import Template
import xml.dom.minidom as dom
import LastFM
diff --git a/plugins/context/context/ArtistTab.py b/plugins/context/context/ArtistTab.py
index e4e0a66..ba6bf5c 100644
--- a/plugins/context/context/ArtistTab.py
+++ b/plugins/context/context/ArtistTab.py
@@ -27,6 +27,7 @@
import rb, rhythmdb
import gtk, gobject
import re, os
+import cgi
import xml.dom.minidom as dom
import LastFM
diff --git a/plugins/context/context/LastFM.py b/plugins/context/context/LastFM.py
index 2ca4966..02f3bf8 100644
--- a/plugins/context/context/LastFM.py
+++ b/plugins/context/context/LastFM.py
@@ -45,5 +45,5 @@ def user_has_account():
return (username is not None and username != "")
def datasource_link(path):
- return "<a href='http://last.fm/'><img src='%s/img/lastfm.png'></a>" % self.basepath
+ return "<a href='http://last.fm/'><img src='%s/img/lastfm.png'></a>" % path
diff --git a/plugins/context/tmpl/album-tmpl.html b/plugins/context/tmpl/album-tmpl.html
index 95e12f7..8338f62 100644
--- a/plugins/context/tmpl/album-tmpl.html
+++ b/plugins/context/tmpl/album-tmpl.html
@@ -1,7 +1,8 @@
-<%page args="error, list, artist, stylesheet" />
+<%page args="error, list, artist, stylesheet, datasource" />
<html> <head> <meta http-equiv="content-type" content="text-html; charset=utf-8">
<%!
import re
+ import cgi
def cleanup(text):
return re.sub(r'\([^\)]*\)', '', text)
def sec2hms(time):
@@ -38,7 +39,7 @@
<%
num_albums = min(8, len(list))
%>
- <h1>${ _("Top albums by %s") % ("<em>" + artist + "</em>") }</h1>
+ <h1>${ _("Top albums by %s") % ("<em>" + cgi.escape(artist, True) + "</em>") }</h1>
%for i, entry in enumerate(list) :
<%
if 'tracklist' not in entry or len(entry['tracklist']) == 0:
@@ -46,9 +47,9 @@
if i == num_albums:
break
%>
- <div id="album${entry['id']}" class="album">
- <img width="64" src="${entry['images'][1]}" alt="${entry['images']}"/>
- <h2>${entry['title']}</h2>
+ <div id="album${entry['id'] | h}" class="album">
+ <img width="64" src="${entry['images'][1] | h}" alt="${entry['images'] | h}"/>
+ <h2>${entry['title'] | h}</h2>
%if 'duration' in entry:
<%
album_time = sec2hms(entry['duration'])
@@ -57,18 +58,17 @@
<p class="duration">${ _("%s (%d tracks)") % (album_time, tracks) }</p>
%endif
%if 'tracklist' in entry:
- <% btn_name = "btn_%s" % entry['id'] %>
- <button id="btn_${entry['id']}" onclick="toggle_vis(${entry['id']})">
+ <button id="btn_${entry['id'] | h}" onclick="toggle_vis(${entry['id'] | h})">
${ _("Show all tracks") }
</button>
- <table class="hidden" id="${entry['id']}">
+ <table class="hidden" id="${entry['id'] | h}">
%for num, title, time in entry['tracklist'] :
<%
time = sec2hms(time)
title = cleanup(title)
num = num+1
%>
- <tr><td>${num}</td><td>${title}</td><td>${time}</td></tr>
+ <tr><td>${num}</td><td>${title | h}</td><td>${time}</td></tr>
%endfor
</table>
%else:
@@ -79,7 +79,7 @@
<p>${datasource}</p>
%else:
<h1>${ _("Unable to retrieve album information:") }</h1>
- <p class="error">${error}</p>
+ <p class="error">${error | h}</p>
%endif
</body>
</html>
diff --git a/plugins/context/tmpl/artist-tmpl.html b/plugins/context/tmpl/artist-tmpl.html
index f4a2d1c..b559b7b 100644
--- a/plugins/context/tmpl/artist-tmpl.html
+++ b/plugins/context/tmpl/artist-tmpl.html
@@ -1,6 +1,7 @@
-<%page args="artist, image, shortbio, fullbio, stylesheet" />
+<%page args="artist, image, shortbio, fullbio, stylesheet, datasource" />
<%!
import re
+ import cgi
remove_links = re.compile ('</?a[^>]*> ',re.VERBOSE)
def cleanup(text):
@@ -23,8 +24,8 @@
</head>
<body class="artist">
%if error is None:
-<h1>${artist}</h1>
-<img src="${image}" />
+<h1>${artist | h}</h1>
+<img src="${image | h}" />
<div id="shortbio" class="shown">
<% shortbio = cleanup(shortbio) %>
<button name="more" onclick="swapClass('shortbio', 'shown', 'hidden');swapClass('fullbio', 'shown', 'hidden')" />
@@ -45,7 +46,7 @@ ${ _("Read less") }
<p>${datasource}</p>
%else:
<h1>${ _("Unable to retrieve artist information:") }</h1>
-<p class="error">${error}</p>
+<p class="error">${error | h}</p>
%endif
</body>
</html>
diff --git a/plugins/context/tmpl/loading.html b/plugins/context/tmpl/loading.html
index 769d187..b8e57d0 100644
--- a/plugins/context/tmpl/loading.html
+++ b/plugins/context/tmpl/loading.html
@@ -8,7 +8,7 @@ img { display: block; margin-left: auto; margin-right: auto }
</style>
</head>
<body>
-<h1>${info}</h1>
+<h1>${info | h}</h1>
<img src="${basepath}/img/spinner.gif" />
</body>
</html>
diff --git a/plugins/context/tmpl/lyrics-tmpl.html b/plugins/context/tmpl/lyrics-tmpl.html
index 5c5bfd7..f7ee440 100644
--- a/plugins/context/tmpl/lyrics-tmpl.html
+++ b/plugins/context/tmpl/lyrics-tmpl.html
@@ -1,10 +1,13 @@
<html>
<head>
<meta http-equiv="content-type" content="text-html; charset=utf-8">
+<%!
+ import cgi
+%>
<link rel="stylesheet" href="${stylesheet}" type="text/css" />
</head>
<body>
-<h1>${artist}: <em>${song}</em></h1>
+<h1>${artist | h}: <em>${song | h}</em></h1>
<p>${lyrics}</p>
</body>
</html>
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
