Skip to content
Browse files

BF: escape the content of <matches> since its value could contain arb…

…itrary symbols
  • Loading branch information...
1 parent 6ee2c0a commit 83109bce144f443a48ef31165a5389b7b83f4e0e @yarikoptic yarikoptic committed
Showing with 15 additions and 3 deletions.
  1. +15 −3 server/action.py
View
18 server/action.py
@@ -230,7 +230,14 @@ def getActionStop(self):
def execActionStop(self):
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd)
-
+
+ def escapeTag(tag):
+ for c in '\\#&;`|*?~<>^()[]{}$\n':
+ if c in tag:
+ tag = tag.replace(c, '\\' + c)
+ return tag
+ escapeTag = staticmethod(escapeTag)
+
##
# Replaces tags in query with property values in aInfo.
#
@@ -243,8 +250,13 @@ def replaceTag(query, aInfo):
""" Replace tags in query
"""
string = query
- for tag in aInfo:
- string = string.replace('<' + tag + '>', str(aInfo[tag]))
+ for tag, value in aInfo.iteritems():
+ value = str(value) # assure string
+ if tag == 'matches':
+ # That one needs to be escaped since its content is
+ # out of our control
+ value = escapeTag(value)
+ string = string.replace('<' + tag + '>', value)
# New line
string = string.replace("<br>", '\n')
return string

0 comments on commit 83109bc

Please sign in to comment.
Something went wrong with that request. Please try again.