Commit c1b2e6a7 authored by Sylvain Thénault's avatar Sylvain Thénault
Browse files

use xml_escape

--HG--
branch : stable
parent f178182b1305
......@@ -15,7 +15,7 @@ import re
from urllib import quote as urlquote
from StringIO import StringIO
from logilab.mtconverter import html_escape, html_unescape
from logilab.mtconverter import xml_escape, html_unescape
from cubicweb.utils import ustrftime
......@@ -66,7 +66,7 @@ try:
except ImportError:
def rest_publish(entity, data):
"""default behaviour if docutils was not found"""
return html_escape(data)
return xml_escape(data)
TAG_PROG = re.compile(r'</?.*?>', re.U)
def remove_html_tags(text):
......@@ -108,7 +108,7 @@ def safe_cut(text, length):
if len(text_nohtml) <= length:
return text
# else if un-tagged text is too long, cut it
return html_escape(text_nohtml[:length] + u'...')
return xml_escape(text_nohtml[:length] + u'...')
fallback_safe_cut = safe_cut
......@@ -220,12 +220,12 @@ def simple_sgml_tag(tag, content=None, escapecontent=True, **attrs):
attrs['class'] = attrs.pop('klass')
except KeyError:
pass
value += u' ' + u' '.join(u'%s="%s"' % (attr, html_escape(unicode(value)))
value += u' ' + u' '.join(u'%s="%s"' % (attr, xml_escape(unicode(value)))
for attr, value in sorted(attrs.items())
if value is not None)
if content:
if escapecontent:
content = html_escape(unicode(content))
content = xml_escape(unicode(content))
value += u'>%s</%s>' % (content, tag)
else:
value += u'/>'
......@@ -406,9 +406,9 @@ def html_traceback(info, exception, title='',
strings.append(body)
strings.append(u'</div>')
if title:
strings.append(u'<h1 class="error">%s</h1>'% html_escape(title))
strings.append(u'<h1 class="error">%s</h1>'% xml_escape(title))
try:
strings.append(u'<p class="error">%s</p>' % html_escape(str(exception)).replace("\n","<br />"))
strings.append(u'<p class="error">%s</p>' % xml_escape(str(exception)).replace("\n","<br />"))
except UnicodeError:
pass
strings.append(u'<div class="error_traceback">')
......@@ -416,9 +416,9 @@ def html_traceback(info, exception, title='',
strings.append(u'<b>File</b> <b class="file">%s</b>, <b>line</b> '
u'<b class="line">%s</b>, <b>function</b> '
u'<b class="function">%s</b>:<br/>'%(
html_escape(stackentry[0]), stackentry[1], html_escape(stackentry[2])))
xml_escape(stackentry[0]), stackentry[1], xml_escape(stackentry[2])))
if stackentry[3]:
string = html_escape(stackentry[3]).decode('utf-8', 'replace')
string = xml_escape(stackentry[3]).decode('utf-8', 'replace')
strings.append(u'&nbsp;&nbsp;%s<br/>\n' % (string))
# add locals info for each entry
try:
......@@ -426,7 +426,7 @@ def html_traceback(info, exception, title='',
html_info = []
chars = 0
for name, value in local_context.iteritems():
value = html_escape(repr(value))
value = xml_escape(repr(value))
info = u'<span class="name">%s</span>=%s, ' % (name, value)
line_length = len(name) + len(value)
chars += line_length
......@@ -491,5 +491,5 @@ def htmlescape(function):
def newfunc(*args, **kwargs):
ret = function(*args, **kwargs)
assert isinstance(ret, basestring)
return html_escape(ret)
return xml_escape(ret)
return newfunc
......@@ -13,7 +13,7 @@ from logilab.common import interface
from logilab.common.compat import all
from logilab.common.decorators import cached
from logilab.common.deprecation import obsolete
from logilab.mtconverter import TransformData, TransformError, html_escape
from logilab.mtconverter import TransformData, TransformError, xml_escape
from rql.utils import rqlvar_maker
......@@ -456,7 +456,7 @@ class Entity(AppRsetObject, dict):
return u''
value = printable_value(self.req, attrtype, value, props, displaytime)
if format == 'text/html':
value = html_escape(value)
value = xml_escape(value)
return value
def mtc_transform(self, data, format, target_format, encoding,
......
......@@ -24,7 +24,7 @@ http://cvs.zope.org/Zope/lib/python/docutils/writers/Attic/html4zope.py?rev=1.1.
__docformat__ = 'reStructuredText'
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from docutils import nodes
from docutils.writers.html4css1 import Writer as CSS1Writer
......@@ -154,7 +154,7 @@ class HTMLTranslator(CSS1HTMLTranslator):
error = u'System Message: %s%s/%s%s (%s %s)%s</p>\n' % (
a_start, node['type'], node['level'], a_end,
self.encode(node['source']), line, backref_text)
self.body.append(u'<div class="system-message"><b>ReST / HTML errors:</b>%s</div>' % html_escape(error))
self.body.append(u'<div class="system-message"><b>ReST / HTML errors:</b>%s</div>' % xml_escape(error))
def depart_system_message(self, node):
pass
......@@ -29,7 +29,7 @@ from docutils.core import publish_string
from docutils.parsers.rst import Parser, states, directives
from docutils.parsers.rst.roles import register_canonical_role, set_classes
from logilab.mtconverter import ESC_UCAR_TABLE, ESC_CAR_TABLE, html_escape
from logilab.mtconverter import ESC_UCAR_TABLE, ESC_CAR_TABLE, xml_escape
from cubicweb.ext.html4zope import Writer
......@@ -236,5 +236,5 @@ def rest_publish(context, data):
LOGGER.exception('error while publishing ReST text')
if not isinstance(data, unicode):
data = unicode(data, encoding, 'replace')
return html_escape(req._('error while publishing ReST text')
return xml_escape(req._('error while publishing ReST text')
+ '\n\n' + data)
......@@ -7,7 +7,7 @@
"""
__docformat__ = "restructuredtext en"
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb import typed_eid
from cubicweb.selectors import one_line_rset, match_search_state, accept
......@@ -74,7 +74,7 @@ def entity_types_no_count(self, eschemas):
label = display_name(req, etype, 'plural')
view = self.vreg.select_view('list', req, req.etype_rset(etype))
url = view.url()
etypelink = u'&nbsp;<a href="%s">%s</a>' % (html_escape(url), label)
etypelink = u'&nbsp;<a href="%s">%s</a>' % (xml_escape(url), label)
yield (label, etypelink, self.add_entity_link(eschema, req))
ManageView.entity_types = entity_types_no_count
......
......@@ -12,7 +12,7 @@ from os.path import exists, join, abspath
from pickle import loads, dumps
from logilab.common.decorators import cached
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb.selectors import none_rset, match_user_groups
from cubicweb.common.view import StartupView
......@@ -54,7 +54,7 @@ class AuthInfo(StartupView):
break
values.append('__session=%s' % cookie['__session'].value)
self.w(u"<p>pass this flag to the client: --cookie='%s'</p>"
% html_escape('; '.join(values)))
% xml_escape('; '.join(values)))
......@@ -148,7 +148,7 @@ class ContentInit(StartupView):
% cpath)
self.w(u'<div>click <a href="%s?vid=contentclear">here</a> to '
'<b>delete all datastore content</b> so process can be '
'reinitialized</div>' % html_escape(self.req.base_url()))
'reinitialized</div>' % xml_escape(self.req.base_url()))
Put(status)
@property
......@@ -159,11 +159,11 @@ class ContentInit(StartupView):
repo=self.config.repository())
def msg(self, msg):
self.w(u'<div class="message">%s</div>' % html_escape(msg))
self.w(u'<div class="message">%s</div>' % xml_escape(msg))
def redirect(self, msg):
raise Redirect(self.req.build_url('', msg))
def continue_link(self):
self.w(u'<a href="%s">continue</a><br/>' % html_escape(self.req.url()))
self.w(u'<a href="%s">continue</a><br/>' % xml_escape(self.req.url()))
class ContentClear(StartupView):
......
......@@ -12,7 +12,7 @@ _ = unicode
from cStringIO import StringIO
from logilab.common.deprecation import obsolete
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb import NotAnEntity
from cubicweb.selectors import yes, non_final_entity, nonempty_rset, none_rset
......@@ -219,7 +219,7 @@ class View(AppRsetObject):
def wdata(self, data):
"""simple helper that escapes `data` and writes into `self.w`"""
self.w(html_escape(data))
self.w(xml_escape(data))
def html_headers(self):
"""return a list of html headers (eg something to be inserted between
......@@ -440,10 +440,10 @@ class ReloadableMixIn(object):
def cb(*args):
_cb(*args)
cbname = self.req.register_onetime_callback(cb, *args)
return self.build_js(cbname, html_escape(msg or ''))
return self.build_js(cbname, xml_escape(msg or ''))
def build_update_js_call(self, cbname, msg):
rql = html_escape(self.rset.printable_rql())
rql = xml_escape(self.rset.printable_rql())
return "javascript:userCallbackThenUpdateUI('%s', '%s', '%s', '%s', '%s', '%s')" % (
cbname, self.id, rql, msg, self.__registry__, self.div_id())
......
......@@ -8,7 +8,7 @@
__docformat__ = "restructuredtext en"
_ = unicode
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb import Unauthorized, role as get_role, target as get_target
from cubicweb.selectors import (one_line_rset, primary_view,
......@@ -74,7 +74,7 @@ class BoxTemplate(View):
.format_actions method
"""
if escape:
title = html_escape(title)
title = xml_escape(title)
return self.box_action(self._action(title, path, **kwargs))
def _action(self, title, path, **kwargs):
......
......@@ -9,7 +9,7 @@ __docformat__ = "restructuredtext en"
_ = unicode
from logilab.common.deprecation import class_renamed
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb import role
from cubicweb.utils import merge_dicts
......@@ -117,7 +117,7 @@ class NavigationComponent(Component):
def page_link(self, path, params, start, stop, content):
url = self.build_url(path, **merge_dicts(params, {self.start_param : start,
self.stop_param : stop,}))
url = html_escape(url)
url = xml_escape(url)
if start == self.starting_from:
return self.selected_page_link_templ % (url, content, content)
return self.page_link_templ % (url, content, content)
......@@ -130,7 +130,7 @@ class NavigationComponent(Component):
stop = start + self.page_size - 1
url = self.build_url(**merge_dicts(params, {self.start_param : start,
self.stop_param : stop,}))
url = html_escape(url)
url = xml_escape(url)
return self.previous_page_link_templ % (url, title, content)
def next_link(self, params, content='&gt;&gt;', title=_('next_results')):
......@@ -140,7 +140,7 @@ class NavigationComponent(Component):
stop = start + self.page_size - 1
url = self.build_url(**merge_dicts(params, {self.start_param : start,
self.stop_param : stop,}))
url = html_escape(url)
url = xml_escape(url)
return self.next_page_link_templ % (url, title, content)
......
......@@ -12,7 +12,7 @@ from itertools import chain
from copy import deepcopy
from datetime import date, datetime, timedelta
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from logilab.common.graph import has_path
from logilab.common.decorators import cached
......@@ -71,7 +71,7 @@ def get_facet(req, facetid, rqlst, mainvar):
def filter_hiddens(w, **kwargs):
for key, val in kwargs.items():
w(u'<input type="hidden" name="%s" value="%s" />' % (
key, html_escape(val)))
key, xml_escape(val)))
def _may_be_removed(rel, schema, mainvar):
......@@ -587,11 +587,11 @@ class FacetVocabularyWidget(HTMLWidget):
self.items.append(item)
def _render(self):
title = html_escape(self.facet.title)
facetid = html_escape(self.facet.id)
title = xml_escape(self.facet.title)
facetid = xml_escape(self.facet.id)
self.w(u'<div id="%s" class="facet">\n' % facetid)
self.w(u'<div class="facetTitle" cubicweb:facetName="%s">%s</div>\n' %
(html_escape(facetid), title))
(xml_escape(facetid), title))
if self.facet.support_and():
_ = self.facet.req._
self.w(u'''<select name="%s" class="radio facetOperator" title="%s">
......@@ -617,8 +617,8 @@ class FacetStringWidget(HTMLWidget):
self.value = None
def _render(self):
title = html_escape(self.facet.title)
facetid = html_escape(self.facet.id)
title = xml_escape(self.facet.title)
facetid = xml_escape(self.facet.id)
self.w(u'<div id="%s" class="facet">\n' % facetid)
self.w(u'<div class="facetTitle" cubicweb:facetName="%s">%s</div>\n' %
(facetid, title))
......@@ -661,7 +661,7 @@ class FacetRangeWidget(HTMLWidget):
facet.req.add_js('ui.slider.js')
facet.req.add_css('ui.all.css')
sliderid = make_uid('the slider')
facetid = html_escape(self.facet.id)
facetid = xml_escape(self.facet.id)
facet.req.html_headers.add_onload(self.onload % {
'sliderid': sliderid,
'facetid': facetid,
......@@ -669,7 +669,7 @@ class FacetRangeWidget(HTMLWidget):
'maxvalue': self.maxvalue,
'formatter': self.formatter,
})
title = html_escape(self.facet.title)
title = xml_escape(self.facet.title)
self.w(u'<div id="%s" class="facet">\n' % facetid)
self.w(u'<div class="facetTitle" cubicweb:facetName="%s">%s</div>\n' %
(facetid, title))
......@@ -721,9 +721,9 @@ class FacetItem(HTMLWidget):
imgsrc = self.req.datadir_url + self.unselected_img
imgalt = self.req._('not selected')
self.w(u'<div class="facetValue facetCheckBox%s" cubicweb:value="%s">\n'
% (cssclass, html_escape(unicode(self.value))))
% (cssclass, xml_escape(unicode(self.value))))
self.w(u'<img src="%s" alt="%s"/>&nbsp;' % (imgsrc, imgalt))
self.w(u'<a href="javascript: {}">%s</a>' % html_escape(self.label))
self.w(u'<a href="javascript: {}">%s</a>' % xml_escape(self.label))
self.w(u'</div>')
class CheckBoxFacetWidget(HTMLWidget):
......@@ -737,8 +737,8 @@ class CheckBoxFacetWidget(HTMLWidget):
self.selected = selected
def _render(self):
title = html_escape(self.facet.title)
facetid = html_escape(self.facet.id)
title = xml_escape(self.facet.title)
facetid = xml_escape(self.facet.id)
self.w(u'<div id="%s" class="facet">\n' % facetid)
if self.selected:
cssclass = ' facetValueSelected'
......@@ -749,7 +749,7 @@ class CheckBoxFacetWidget(HTMLWidget):
imgsrc = self.req.datadir_url + self.unselected_img
imgalt = self.req._('not selected')
self.w(u'<div class="facetValue facetCheckBox%s" cubicweb:value="%s">\n'
% (cssclass, html_escape(unicode(self.value))))
% (cssclass, xml_escape(unicode(self.value))))
self.w(u'<div class="facetCheckBoxWidget">')
self.w(u'<img src="%s" alt="%s" cubicweb:unselimg="true" />&nbsp;' % (imgsrc, imgalt))
self.w(u'<label class="facetTitle" cubicweb:facetName="%s"><a href="javascript: {}">%s</a></label>' % (facetid, title))
......
......@@ -10,7 +10,7 @@ __docformat__ = "restructuredtext en"
from warnings import warn
from datetime import datetime
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from yams.constraints import SizeConstraint, StaticVocabularyConstraint
from cubicweb.schema import FormatConstraint
......@@ -300,9 +300,9 @@ class FileField(StringField):
if self.format_field or self.encoding_field:
divid = '%s-advanced' % form.context[self]['name']
wdgs.append(u'<a href="%s" title="%s"><img src="%s" alt="%s"/></a>' %
(html_escape(uilib.toggle_action(divid)),
(xml_escape(uilib.toggle_action(divid)),
form.req._('show advanced fields'),
html_escape(form.req.build_url('data/puce_down.png')),
xml_escape(form.req.build_url('data/puce_down.png')),
form.req._('show advanced fields')))
wdgs.append(u'<div id="%s" class="hidden">' % divid)
if self.format_field:
......
......@@ -9,7 +9,7 @@ serialization time
:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses
"""
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb.utils import UStringIO
from cubicweb.common.uilib import toggle_action
......@@ -81,7 +81,7 @@ class BoxWidget(HTMLWidget):
self.w(u'<div class="%s">' % self._class)
if self.title:
if self.escape:
title = '<span>%s</span>' % html_escape(self.title)
title = '<span>%s</span>' % xml_escape(self.title)
else:
title = '<span>%s</span>' % self.title
self.w(u'<div class="%s">%s</div>' % (self.title_class, title))
......@@ -204,7 +204,7 @@ class BoxLink(HTMLWidget):
def __init__(self, href, label, _class='', title='', ident='', escape=False):
self.href = href
if escape:
self.label = html_escape(label)
self.label = xml_escape(label)
else:
self.label = label
self._class = _class or ''
......@@ -213,7 +213,7 @@ class BoxLink(HTMLWidget):
def _render(self):
link = u'<a href="%s" title="%s">%s</a>' % (
html_escape(self.href), html_escape(self.title), self.label)
xml_escape(self.href), xml_escape(self.title), self.label)
if self.ident:
self.w(u'<li id="%s" class="%s">%s</li>\n' % (self.ident, self._class, link))
else:
......
......@@ -20,7 +20,7 @@ from rql.utils import rqlvar_maker
from logilab.common.decorators import cached
from logilab.common.deprecation import obsolete
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb.dbapi import DBAPIRequest
from cubicweb.common.mail import header
......@@ -505,7 +505,7 @@ class CubicWebRequestBase(DBAPIRequest):
url = self.build_url('view', rql=rql, vid=vid, __notemplate=1,
**extraparams)
return "javascript: loadxhtml('%s', '%s', '%s')" % (
nodeid, html_escape(url), replacemode)
nodeid, xml_escape(url), replacemode)
# urls/path management ####################################################
......
......@@ -15,7 +15,7 @@ from rql import parse
from cubicweb.selectors import yes, two_etypes_rset, match_form_params
from cubicweb.schema import display_name
from cubicweb.common.uilib import html_escape, toggle_action
from cubicweb.common.uilib import xml_escape, toggle_action
from cubicweb.web import component
from cubicweb.web.htmlwidgets import (MenuWidget, PopupBoxMenu, BoxSeparator,
BoxLink)
......@@ -47,7 +47,7 @@ class RQLInputForm(component.Component):
<input type="submit" value="" class="rqlsubmit" tabindex="%s" />
</fieldset>
''' % (not self.propval('visible') and 'hidden' or '',
self.build_url('view'), html_escape(rql), req._('full text or RQL query'), req.next_tabindex(),
self.build_url('view'), xml_escape(rql), req._('full text or RQL query'), req.next_tabindex(),
req.next_tabindex()))
if self.req.search_state[0] != 'normal':
self.w(u'<input type="hidden" name="__mode" value="%s"/>'
......@@ -202,7 +202,7 @@ class EtypeRestrictionComponent(component.Component):
url = self.build_url(rql=newrql, __restrrql=restrrql,
__restrtype=etype, __restrtypes=','.join(restrtypes))
html.append(u'<span><a href="%s">%s</a></span>' % (
html_escape(url), elabel))
xml_escape(url), elabel))
rqlst.recover()
if on_etype:
url = self.build_url(rql=restrrql)
......
......@@ -15,7 +15,7 @@ from smtplib import SMTP
import simplejson
from logilab.common.decorators import cached
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb import NoSelectableObject, ValidationError, ObjectNotFound, typed_eid
from cubicweb.utils import strptime
......@@ -411,7 +411,7 @@ class JSonController(Controller):
if rset:
output = self.view(vid, rset)
if vid == 'textoutofcontext':
output = html_escape(output)
output = xml_escape(output)
else:
output = default
return (success, args, output)
......
......@@ -12,7 +12,7 @@ from copy import copy
from simplejson import dumps
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from logilab.common.decorators import cached
from cubicweb.selectors import (specified_etype_implements, accepts_etype_compat,
......@@ -148,7 +148,7 @@ class EditionForm(FormMixIn, EntityView):
output = []
for name, value, iid in self._hiddens:
if isinstance(value, basestring):
value = html_escape(value)
value = xml_escape(value)
if iid:
output.append(u'<input id="%s" type="hidden" name="%s" value="%s" />'
% (iid, name, value))
......@@ -249,14 +249,14 @@ class EditionForm(FormMixIn, EntityView):
w(u'<a class="handle" title="%s" href="%s">[x]</a>' %
(_('cancel this insert'), row[2]))
w(u'<a id="a%s" class="editionPending" href="%s">%s</a>'
% (row[1], row[4], html_escape(row[5])))
% (row[1], row[4], xml_escape(row[5])))
w(u'</td>')
w(u'</tr>')
w(u'<tr id="relationSelectorRow_%s" class="separator">' % eid)
w(u'<th class="labelCol">')
w(u'<span>%s</span>' % _('add relation'))
w(u'<select id="relationSelector_%s" tabindex="%s" onchange="javascript:showMatchingSelect(this.options[this.selectedIndex].value,%s);">'
% (eid, req.next_tabindex(), html_escape(dumps(eid))))
% (eid, req.next_tabindex(), xml_escape(dumps(eid))))
w(u'<option value="">%s</option>' % _('select a relation'))
for i18nrtype, rschema, target in srels_by_cat:
# more entities to link to
......@@ -551,10 +551,10 @@ class TableEditForm(FormMixIn, EntityView):
ctx = {'action' : self.build_url('edit'),
'error': self.error_message(),
'progress': _('validating...'),
'url': html_escape(req.url()),
'url': xml_escape(req.url()),
'formid': self.id,
'redirectvid': html_escape(form.get('__redirectvid', 'list')),
'redirectrql': html_escape(form.get('__redirectrql', self.rset.printable_rql())),
'redirectvid': xml_escape(form.get('__redirectvid', 'list')),
'redirectrql': xml_escape(form.get('__redirectrql', self.rset.printable_rql())),
'attrheaders': u'\n'.join(attrheaders),
'lines': u'\n'.join(self.edit_form(ent) for ent in self.rset.entities()),
'okvalue': _('button_ok').capitalize(),
......@@ -583,7 +583,7 @@ class TableEditForm(FormMixIn, EntityView):
wdg = entity.get_widget
wdgfactories = [wdg(rschema, x) for rschema, _, x in entity.relations_by_category('primary', 'add')
if rschema.type != 'eid'] # XXX both (add, delete)
seid = html_escape(dumps(eid))
seid = xml_escape(dumps(eid))
for wobj in wdgfactories:
if isinstance(wobj, ComboBoxWidget):
wobj.attrs['onchange'] = "setCheckboxesState2('eid', %s, 'checked')" % seid
......
......@@ -8,7 +8,7 @@
"""
__docformat__ = "restructuredtext en"
from logilab.mtconverter import html_escape
from logilab.mtconverter import xml_escape
from cubicweb.vregistry import objectify_selector
from cubicweb.selectors import match_kwargs
......@@ -31,14 +31,14 @@ class LogInOutTemplate(MainTemplate):
def template_header(self, content_type, view=None, page_title='', additional_headers=()):
w = self.whead
# explictly close the <base> tag to avoid IE 6 bugs while browsing DOM
w(u'<base href="%s"></base>' % html_escape(self.req.base_url()))
w(u'<base href="%s"></base>' % xml_escape(self.req.base_url()))
w(u'<meta http-equiv="content-type" content="%s; charset=%s"/>\n'
% (content_type, self.req.encoding))
w(NOINDEX)
w(NOFOLLOW)
w(u'\n'.join(additional_headers) + u'\n')
self.wview('htmlheader', rset=self.rset)
w(u'<title>%s</title>\n' % html_escape(page_title))
w(u'<title>%s</title>\n' % xml_escape(page_title))
class LogInTemplate(LogInOutTemplate):
......@@ -60,7 +60,7 @@ class LoggedOutTemplate(LogInOutTemplate):
if self.config['anonymous-user']:
indexurl = self.build_url('view', vid='index', __message=msg)
w(u'<p><a href="%s">%s</a><p>' % (
html_escape(indexurl),
xml_escape(indexurl),
self.req._('go back to the index page')))
@objectify_selector
......@@ -110,7 +110,7 @@ class TheMainTemplate(MainTemplate):
w(u'<div id="pageContent">\n')
vtitle = self.req.form.get('vtitle')
if vtitle:
w(u'<h1 class="vtitle">%s</h1>\n' % html_escape(vtitle))
w(u'<h1 class="vtitle">%s</h1>\n' % xml_escape(vtitle))
# display entity type restriction component
etypefilter = self.vreg.select_component('etypenavigation',
self.req, self.rset)
......@@ -137,13 +137,13 @@ class TheMainTemplate(MainTemplate):
w = self.whead
lang = self.req.lang
self.write_doctype()
w(u'<base href="%s" />' % html_escape(self.req.base_url()))
w(u'<base href="%s" />' % xml_escape(self.req.base_url()))
w(u'<meta http-equiv="content-type" content="%s; charset=%s"/>\n'
% (content_type, self.req.encoding))
w(u'\n'.join(additional_headers) + u'\n')
self.wview('htmlheader', rset=self.rset)
if page_title:
w(u'<title>%s</title>\n' % html_escape(page_title))
w(u'<title>%s</title>\n' % xml_escape(page_title))
def template_body_header(self, view):
w = self.w
......@@ -210,7 +210,7 @@ class ErrorTemplate(TheMainTemplate):
% (content_type, self.req.encoding))
w(u'\n'.join(additional_headers))
self.wview('htmlheader', rset=self.rset)
w(u'<title>%s</title>\n' % html_escape(page_title))
w(u'<title>%s</title>\n' % xml_escape(page_title))
self.w(u'<body>\n')