Skip to content
Permalink
Browse files Browse the repository at this point in the history
Updated columns to work with z3c.table 2.2. Escaped rendering special…
… caracters to avoid xss
  • Loading branch information
sgeulette committed Jun 9, 2022
1 parent 0d9387a commit 6c4d616
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 19 deletions.
4 changes: 2 additions & 2 deletions CHANGES.rst
Expand Up @@ -4,8 +4,8 @@ Changelog
1.7 (unreleased)
----------------

- Nothing changed yet.

- Updated columns to work with z3c.table 2.2. Escaped rendering special caracters to avoid xss.
[sgeulette]

1.6 (2021-04-20)
----------------
Expand Down
3 changes: 2 additions & 1 deletion setup.py
Expand Up @@ -49,6 +49,7 @@
'five.grok',
'collective.documentviewer',
'dexterity.localrolesfield',
'future',
'plone.api',
'plone.app.dexterity',
'plone.directives.form',
Expand All @@ -59,7 +60,7 @@
'plone.formwidget.contenttree',
'plone.principalsource',
'collective.z3cform.chosen',
'z3c.table',
'z3c.table>=2.2',
],
extras_require={
'test': ['plone.app.testing',
Expand Down
42 changes: 26 additions & 16 deletions src/collective/dms/basecontent/browser/column.py
@@ -1,19 +1,22 @@
import os.path
import Missing
from Acquisition import aq_base
from AccessControl import getSecurityManager
from Products.CMFCore.utils import getToolByName
from Acquisition import aq_base
from collective.dms.basecontent import _
from five import grok
from html import escape
from Products.CMFCore.utils import getToolByName
from Products.CMFCore.WorkflowCore import WorkflowException
from Products.CMFPlone.utils import safe_unicode
from z3c.table import interfaces
from zope.component import getMultiAdapter
from zope.i18nmessageid import MessageFactory
from zope.i18n import translate
import z3c.table.table
import z3c.table.column
from Products.CMFCore.WorkflowCore import WorkflowException
from zope.i18nmessageid import MessageFactory

import Missing
import os.path
import plone.api
import z3c.table.column
import z3c.table.table

from collective.dms.basecontent import _

PMF = MessageFactory('plone')

Expand Down Expand Up @@ -74,11 +77,11 @@ def renderCell(self, item):
for principal_id in value:
user = mtool.getMemberById(principal_id)
if user is not None:
principals.append(user.getProperty('fullname', None) or user.getId())
principals.append(escape(user.getProperty('fullname', None)) or user.getId())
else:
group = gtool.getGroupById(principal_id)
if group is not None:
principals.append(group.getProperty('title', None) or group.getId())
principals.append(escape(group.getProperty('title', None)) or group.getId())

return ', '.join(principals).decode('utf-8')

Expand All @@ -92,6 +95,16 @@ def getLinkURL(self, item):
return '%s/%s' % (item.getURL(), self.linkName)
return item.getURL()

def renderCell(self, item):
# setup a tag
return '<a href="%s"%s%s%s>%s</a>' % (
self.getLinkURL(item), # originally escaped
self.getLinkTarget(item),
self.getLinkCSS(item),
self.getLinkTitle(item),
self.getLinkContent(item), # originally escaped
)


class TitleColumn(LinkColumn):
grok.baseclass()
Expand All @@ -100,17 +113,14 @@ class TitleColumn(LinkColumn):

def getLinkContent(self, item):
title = get_value(item, 'Title')
if isinstance(title, unicode):
return title
else:
return unicode(title, 'utf-8', 'ignore')
return escape(safe_unicode(title))


class IconColumn(LinkColumn):
grok.baseclass()

def getLinkContent(self, item):
content = super(IconColumn, self).getLinkContent(item)
content = super(IconColumn, self).getLinkContent(item) # escaped
return u"""<img title="%s" src="%s" />""" % (
content,
'%s/%s' % (self.table.portal_url, self.iconName))
Expand Down

0 comments on commit 6c4d616

Please sign in to comment.