Merge 4b79c41 into 3c024c4

collective · Jun 7, 2022 · 8ba2901 · 8ba2901
2 parents 3c024c4 + 4b79c41
commit 8ba2901
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 8 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -5,8 +5,12 @@ Changelog
 2.18 (unreleased)
 -----------------
 
-- Nothing changed yet.
-
+- Added `BaseColumn.escape = True` so content is escaped.
+  Manage escape manually for the `TitleColumn`,  `VocabularyColumn` and the
+  `AbbrColumn`, set it to `False` for `CheckBoxColumn`, `ElementNumberColumn`
+  and `ActionsColumn` that are entirely generated, set it to `False` for
+  `PrettyLinkColumnNothing` as `imio.prettylink` manages it itself.
+  [gbastien]
 
 2.17 (2022-05-13)
 -----------------

diff --git a/src/collective/eeafaceted/z3ctable/browser/views.py b/src/collective/eeafaceted/z3ctable/browser/views.py
@@ -13,6 +13,7 @@
 from zope.component import queryMultiAdapter
 from zope.interface import implements
 
+import html
 import logging
 import traceback
 
@@ -80,6 +81,8 @@ def renderCell(self, item, column, colspan=0):
         colspanStr = colspan and ' colspan="%s"' % colspan or ''
         start = datetime.now()
         renderedCell = column.renderCell(item)
+        if column.escape:
+            renderedCell = html.escape(renderedCell)
         if self.debug:
             if not hasattr(column, 'cumulative_time'):
                 column.cumulative_time = timedelta(0)

diff --git a/src/collective/eeafaceted/z3ctable/columns.py b/src/collective/eeafaceted/z3ctable/columns.py
@@ -18,6 +18,7 @@
 from zope.interface import implements
 from zope.schema.interfaces import IVocabularyFactory
 
+import html
 import os
 import pkg_resources
 import urllib
@@ -57,6 +58,8 @@ class BaseColumn(column.GetAttrColumn):
     header_help = None
     # enable caching, needs to be implemented by Column
     use_caching = True
+    # escape
+    escape = True
 
     @property
     def cssClasses(self):
@@ -294,6 +297,8 @@ class DateColumn(BaseColumn):
     long_format = False
     time_only = False
     ignored_value = EMPTY_DATE
+    # not necessary to escape, everything is generated
+    escape = False
 
     def renderCell(self, item):
         value = self.getValue(item)
@@ -362,6 +367,8 @@ class VocabularyColumn(BaseColumn):
     # named utility
     vocabulary = None
     ignored_value = EMPTY_STRING
+    # we escape here
+    escape = False
 
     def renderCell(self, item):
         value = self.getValue(item)
@@ -391,7 +398,7 @@ def renderCell(self, item):
         res = []
         for v in value:
             try:
-                res.append(safe_unicode(self._cached_vocab_instance.getTerm(v).title))
+                res.append(html.escape(safe_unicode(self._cached_vocab_instance.getTerm(v).title)))
             except LookupError:
                 # in case an element is not in the vocabulary, add the value
                 res.append(safe_unicode(v))
@@ -407,6 +414,9 @@ class AbbrColumn(VocabularyColumn):
 
     # named utility
     full_vocabulary = None
+    separator = u', '
+    # we manage escape here manually
+    escape = False
 
     def renderCell(self, item):
         value = self.getValue(item)
@@ -446,13 +456,13 @@ def renderCell(self, item):
                 tag_title = self._cached_full_vocab_instance.getTerm(v).title
                 tag_title = tag_title.replace("'", "&#39;")
                 res.append(u"<abbr title='{0}'>{1}</abbr>".format(
-                    safe_unicode(tag_title),
-                    safe_unicode(self._cached_acronym_vocab_instance.getTerm(v).title)))
+                    html.escape(safe_unicode(tag_title)),
+                    html.escape(safe_unicode(self._cached_acronym_vocab_instance.getTerm(v).title))))
             except LookupError:
                 # in case an element is not in the vocabulary, add the value
-                res.append(safe_unicode(v))
+                res.append(html.escape(safe_unicode(v)))
 
-        res = ', '.join(res)
+        res = self.separator.join(res)
         if self.use_caching:
             self._store_cached_result(value, res)
         return res
@@ -489,6 +499,8 @@ class CheckBoxColumn(BaseColumn):
     checked_by_default = True
     attrName = 'UID'
     weight = 100
+    # not necessary to escape, everything is generated
+    escape = False
 
     def renderHeadCell(self):
         """ """
@@ -542,6 +554,8 @@ def renderCell(self, item):
 
 class ElementNumberColumn(BaseColumn):
     header = u''
+    # not necessary to escape, everything is generated
+    escape = False
 
     def renderCell(self, item):
         """ """
@@ -583,19 +597,24 @@ class TitleColumn(BaseColumn):
     header = _('header_Title')
     sort_index = 'sortable_title'
     weight = 0
+    # we manage escape here manually
+    escape = False
 
     def renderCell(self, item):
         value = self.getValue(item)
         if not value:
             value = u'-'
         value = safe_unicode(value)
-        return u'<a href="{0}">{1}</a>'.format(item.getURL(), value)
+        return u'<a href="{0}">{1}</a>'.format(item.getURL(), html.escape(value))
 
 
 class PrettyLinkColumn(TitleColumn):
     """A column that displays the IPrettyLink.getLink column.
        This rely on imio.prettylink."""
 
+    # escape is managed by imio.prettylink
+    escape = False
+
     params = {}
 
     @property
@@ -763,6 +782,8 @@ class ActionsColumn(BrowserViewCallColumn):
                 'jQuery(document).ready(preventDefaultClickTransition);</script>'
     view_name = 'actions_panel'
     params = {'showHistory': True, 'showActions': True}
+    # not necessary to escape, everything is generated
+    escape = False
 
 
 class IconsColumn(BaseColumn):