Commit e3076e9a authored by Arthur Lutz's avatar Arthur Lutz
Browse files

[views] escape xml to avoid wrong xhtml

parent b408799c9a8e
...@@ -20,6 +20,7 @@ from cubicweb.utils import RepeatList ...@@ -20,6 +20,7 @@ from cubicweb.utils import RepeatList
from cubicweb.view import EntityView from cubicweb.view import EntityView
from cubicweb.web.views import primary, navigation from cubicweb.web.views import primary, navigation
from cubicweb.selectors import is_instance from cubicweb.selectors import is_instance
from logilab.mtconverter import xml_escape
class StatPeriodPrimaryView(primary.PrimaryView): class StatPeriodPrimaryView(primary.PrimaryView):
""" """
...@@ -60,8 +61,8 @@ class StatPeriodPrimaryView(primary.PrimaryView): ...@@ -60,8 +61,8 @@ class StatPeriodPrimaryView(primary.PrimaryView):
self.wview('table', rset, 'null') self.wview('table', rset, 'null')
# cf rql/editextensions.py unset_limit # cf rql/editextensions.py unset_limit
nolimit_rql = typedrql.replace('LIMIT 20', '') nolimit_rql = typedrql.replace('LIMIT 20', '')
self.w(u'<a href="%s">Export CSV</a>' % self._cw.build_url('', rql=nolimit_rql % {'e':entity.eid}, self.w(u'<a href="%s">Export CSV</a>' % xml_escape(self._cw.build_url('', rql=nolimit_rql % {'e':entity.eid},
vid='csvexport')) vid='csvexport')))
#FIXME TODO not working right now #FIXME TODO not working right now
self.wview('piechart', rset, 'null') self.wview('piechart', rset, 'null')
self.w(u'</td>') self.w(u'</td>')
...@@ -70,8 +71,8 @@ class StatPeriodPrimaryView(primary.PrimaryView): ...@@ -70,8 +71,8 @@ class StatPeriodPrimaryView(primary.PrimaryView):
rset = self._cw.execute(rql, {'e':entity.eid}) rset = self._cw.execute(rql, {'e':entity.eid})
self.wview('table', rset, 'null') self.wview('table', rset, 'null')
nolimit_rql = rql.replace('LIMIT 20', '') nolimit_rql = rql.replace('LIMIT 20', '')
self.w(u'<a href="%s">Export CSV</a>' % self._cw.build_url('', rql=nolimit_rql % {'e':entity.eid}, self.w(u'<a href="%s">Export CSV</a>' % xml_escape(self._cw.build_url('', rql=nolimit_rql % {'e':entity.eid},
vid='csvexport')) vid='csvexport')))
self.w(u'</div>') self.w(u'</div>')
......
...@@ -37,7 +37,7 @@ from cubes.awstats.utils import SECTIONSPEC, SECTIONLABELS, \ ...@@ -37,7 +37,7 @@ from cubes.awstats.utils import SECTIONSPEC, SECTIONLABELS, \
def extract_available_time_periods(form, **attrs): def extract_available_time_periods(form, **attrs):
""" extract available time periods from list of awstats files """ """ extract available time periods from list of awstats files """
periods = [] periods = []
selected_domain = form._cw.form.get('domain', '') selected_domain = form._cw.form.get('domain', form._cw.vreg.config['awstats-domain'])
awstats_dir = form._cw.vreg.config['awstats-dir'] awstats_dir = form._cw.vreg.config['awstats-dir']
periodicity = form._cw.vreg.config['awstats-periodicity'] periodicity = form._cw.vreg.config['awstats-periodicity']
size = { size = {
...@@ -283,16 +283,16 @@ class StatPeriodsView(StartupView): ...@@ -283,16 +283,16 @@ class StatPeriodsView(StartupView):
rset = self._cw.execute(typedrql) rset = self._cw.execute(typedrql)
self.generate_table_form(rset, etypes) self.generate_table_form(rset, etypes)
nolimit_rql = typedrql.replace('LIMIT %s' % limit, '') nolimit_rql = typedrql.replace('LIMIT %s' % limit, '')
self.w(u'<a href="%s">Export CSV</a>' % self._cw.build_url(rql=nolimit_rql, self.w(u'<a href="%s">Export CSV</a>' % xml_escape(self._cw.build_url(rql=nolimit_rql,
vid='csvexport')) vid='csvexport')))
self.w(u'</td>') self.w(u'</td>')
self.w(u'</tr></table>') self.w(u'</tr></table>')
else: else:
rset = self._cw.execute(rql) rset = self._cw.execute(rql)
self.generate_table_form(rset) self.generate_table_form(rset)
nolimit_rql = rql.replace('LIMIT %s' % limit, '') nolimit_rql = rql.replace('LIMIT %s' % limit, '')
self.w(u'<a href="%s">Export CSV</a>' % self._cw.build_url(rql=nolimit_rql, self.w(u'<a href="%s">Export CSV</a>' % xml_escape(self._cw.build_url(rql=nolimit_rql,
vid='csvexport')) vid='csvexport')))
self.w(u'</div>') self.w(u'</div>')
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment