Skip to content
Permalink
Browse files Browse the repository at this point in the history
Escaped term-contact viewlet title special chars to avoid xss
  • Loading branch information
sgeulette committed May 31, 2022
1 parent 25f81b8 commit 5da3630
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 26 deletions.
6 changes: 4 additions & 2 deletions CHANGES.rst
Expand Up @@ -4,8 +4,10 @@ Changelog
1.13 (unreleased)
-----------------

- Nothing changed yet.

- Escaped contact title special characters in `term-contact` viewlet to avoid
script insertion (xss). This viewlet stores an hidden field used in a
dynamically js generation.
[sgeulette]

1.12 (2020-10-07)
-----------------
Expand Down
48 changes: 24 additions & 24 deletions src/collective/contact/widget/widgets.py
@@ -1,29 +1,38 @@
import json

from cgi import escape
from collective.contact.widget import _
from collective.contact.widget.interfaces import IContactAutocompleteMultiSelectionWidget
from collective.contact.widget.interfaces import IContactAutocompleteSelectionWidget
from collective.contact.widget.interfaces import IContactAutocompleteWidget
from collective.contact.widget.interfaces import IContactContent
from collective.contact.widget.interfaces import IContactWidgetSettings
from five import grok
from plone.app.layout.viewlets.interfaces import IBelowContent
from plone.app.layout.viewlets.interfaces import IHtmlHeadLinks
from plone.formwidget.autocomplete.widget import AutocompleteMultiSelectionWidget
from plone.formwidget.autocomplete.widget import AutocompleteSearch as BaseAutocompleteSearch
from plone.formwidget.autocomplete.widget import AutocompleteSelectionWidget
from Products.CMFPlone.utils import base_hasattr
from Products.CMFPlone.utils import safe_unicode
from z3c.form.interfaces import IFieldWidget
import z3c.form.interfaces
from z3c.form.widget import FieldWidget
from zope.browserpage.viewpagetemplatefile import ViewPageTemplateFile
from zope.component import getUtility
from zope.component.interfaces import ComponentLookupError
from zope.i18n import translate
from zope.interface import implementer, implements, Interface
from zope.browserpage.viewpagetemplatefile import ViewPageTemplateFile
from zope.interface import implementer
from zope.interface import implements
from zope.interface import Interface
from zope.schema.interfaces import IContextSourceBinder
from zope.schema.interfaces import IVocabulary
from zope.schema.interfaces import IVocabularyFactory
from five import grok

from Products.CMFPlone.utils import base_hasattr, safe_unicode
from plone.app.layout.viewlets.interfaces import IBelowContent
from plone.app.layout.viewlets.interfaces import IHtmlHeadLinks
from plone.formwidget.autocomplete.widget import (
AutocompleteMultiSelectionWidget,
AutocompleteSelectionWidget)
from plone.formwidget.autocomplete.widget import AutocompleteSearch as BaseAutocompleteSearch
import json
import z3c.form.interfaces


try:
from plone.formwidget.masterselect.widget import MasterSelect as BaseMasterSelect
from plone.formwidget.masterselect.interfaces import IMasterSelectWidget
from plone.formwidget.masterselect.widget import MasterSelect as BaseMasterSelect
class MasterSelect(BaseMasterSelect):
grok.implements(IMasterSelectWidget)
def getSlaves(self):
Expand All @@ -33,15 +42,6 @@ def getSlaves(self):
class MasterSelect(object):
pass

from collective.contact.widget import _
from collective.contact.widget.interfaces import (
IContactAutocompleteWidget,
IContactAutocompleteSelectionWidget,
IContactAutocompleteMultiSelectionWidget,
IContactContent,
IContactWidgetSettings,
)


class PatchLoadInsideOverlay(grok.Viewlet):
grok.context(Interface)
Expand Down Expand Up @@ -70,7 +70,7 @@ def title(self):
else:
title = self.context.Title()
title = title and safe_unicode(title) or u""
return title
return escape(title, quote=True)

@property
def portal_type(self):
Expand Down

0 comments on commit 5da3630

Please sign in to comment.