escape special html characters: safer

zopefoundation · Nov 27, 2014 · 43fd4b0 · 43fd4b0
1 parent 7bf16ff
commit 43fd4b0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/src/z3c/table/column.py b/src/z3c/table/column.py
@@ -26,6 +26,7 @@
 from zope.security.interfaces import Unauthorized
 from zope.traversing import api
 from zope.traversing.browser import absoluteURL
+import cgi
 import zope.i18n
 import zope.i18nmessageid
 import zope.interface
@@ -364,7 +365,7 @@ def getLinkCSS(self, item):
 
     def getLinkTitle(self, item):
         """Setup link title."""
-        return self.linkTitle and ' title="%s"' % self.linkTitle or ''
+        return self.linkTitle and ' title="%s"' % cgi.escape(self.linkTitle, quote=True) or ''
 
     def getLinkTarget(self, item):
         """Setup link css."""

diff --git a/src/z3c/table/column.txt b/src/z3c/table/column.txt
@@ -1052,7 +1052,7 @@ columns which can point to a page with the item as context:
   ...     linkName = 'myLink.html'
   ...     linkTarget = '_blank'
   ...     linkCSS = 'myClass'
-  ...     linkTitle = 'Click'
+  ...     linkTitle = 'Click >'
 
   >>> class MyLinkTable(table.Table):
   ...     cssClassSortedOn = None
@@ -1083,23 +1083,23 @@ Now create, update and render our table:
     </thead>
     <tbody>
       <tr>
-        <td><a href="http://127.0.0.1/container/first/myLink.html" target="_blank" class="myClass" title="Click">first</a></td>
+        <td><a href="http://127.0.0.1/container/first/myLink.html" target="_blank" class="myClass" title="Click &gt;">first</a></td>
         <td>number: 1</td>
       </tr>
       <tr>
-        <td><a href="http://127.0.0.1/container/fourth/myLink.html" target="_blank" class="myClass" title="Click">fourth</a></td>
+        <td><a href="http://127.0.0.1/container/fourth/myLink.html" target="_blank" class="myClass" title="Click &gt;">fourth</a></td>
         <td>number: 4</td>
       </tr>
       <tr>
-        <td><a href="http://127.0.0.1/container/second/myLink.html" target="_blank" class="myClass" title="Click">second</a></td>
+        <td><a href="http://127.0.0.1/container/second/myLink.html" target="_blank" class="myClass" title="Click &gt;">second</a></td>
         <td>number: 2</td>
       </tr>
       <tr>
-        <td><a href="http://127.0.0.1/container/third/myLink.html" target="_blank" class="myClass" title="Click">third</a></td>
+        <td><a href="http://127.0.0.1/container/third/myLink.html" target="_blank" class="myClass" title="Click &gt;">third</a></td>
         <td>number: 3</td>
       </tr>
       <tr>
-        <td><a href="http://127.0.0.1/container/zero/myLink.html" target="_blank" class="myClass" title="Click">zero</a></td>
+        <td><a href="http://127.0.0.1/container/zero/myLink.html" target="_blank" class="myClass" title="Click &gt;">zero</a></td>
         <td>number: 0</td>
       </tr>
     </tbody>