Commits

Andriy Kornatskyy committed b2af38c

Applied html_escape to widget value

Comments (0)

Files changed (5)

src/wheezy/html/builder.py

 """ ``builder`` module.
 """
 
+from wheezy.html.comp import str_type
 from wheezy.html.markup import Tag
 from wheezy.html.widgets import default
 from wheezy.html.widgets import hidden
+from wheezy.html.utils import html_escape
 
 
 CSS_CLASS_ERROR = 'error'
 
     def __call__(self, value=None, **attrs):
         """
-            >>> w = Widget('label', 'zip_code', '79053', None)
+            >>> w = Widget('label', 'zip_code', 'Zip Code', None)
+            >>> w()
+            <label for="zip-code">Zip Code</label>
         """
         if value is None:
             value = self.value
+        else:
+            value = html_escape(value)
         tag = self.tag(self.name, value, attrs)
         if attrs and hasattr(tag, 'attrs'):
             tag.attrs.update(attrs)
     """
         ``errors`` - a list of errors.
 
-        >>> class User(object): pass
-        >>> model = User()
-
         textbox
 
-        >>> model.age = 33
         >>> errors = []
-        >>> h = WidgetBuilder('age', 33, errors)
+        >>> h = WidgetBuilder('age', '33', errors)
         >>> h.textbox(class_='b')
         <input class="b" type="text" id="age" value="33" name="age" />
         >>> h.error()
         ''
         >>> errors.append('required')
-        >>> h = WidgetBuilder('age', 0, errors)
+        >>> h = WidgetBuilder('age', '0', errors)
         >>> h.textbox(class_='b')
         <input class="error b" type="text" id="age" value="0" name="age" />
         >>> h.error()
 
     def __repr__(self):
         """
-            >>> class A(object):pass
-            >>> model = A()
-            >>> model.x = 100
-            >>> errors = []
-            >>> h = WidgetBuilder('x', 100, errors)
+            >>> h = WidgetBuilder('age', '0', None)
             >>> h
-            100
+            0
         """
-        return str(self.value)
+        return self.value
 
     def __getattr__(self, tag_name):
         return Widget(tag_name, self.name, self.value,

src/wheezy/html/factory.py

 """
 
 from wheezy.html.builder import WidgetBuilder
+from wheezy.html.comp import str_type
 from wheezy.html.markup import Fragment
 from wheezy.html.markup import Tag
+from wheezy.html.utils import html_escape
 
 
 CSS_CLASS_ERROR_MESSAGE = 'error-message'
         >>> user.id.hidden()
         <input type="hidden" name="id" value="12345" />
 
-        >>> user.name.textbox(maxlength=30)  #doctest: +NORMALIZE_WHITESPACE
+        >>> user.name.textbox(maxlength='30')  #doctest: +NORMALIZE_WHITESPACE
         <input maxlength="30" type="text" id="name"
             value="John" name="name" />
 
-        >>> user.name.textarea(rows=10)  #doctest: +NORMALIZE_WHITESPACE
+        >>> user.name.textarea(rows='10')  #doctest: +NORMALIZE_WHITESPACE
         <textarea rows="10" cols="40" id="name"
             name="name">John</textarea>
 
 
     """
 
+    __slots__ = ['model', 'errors', 'builders']
+
     def __init__(self, model, errors):
         self.model = model
         self.errors = errors
         try:
             return self.builders[name]
         except KeyError:
-            value = getattr(self.model, name)
+            value = html_escape(str_type(getattr(self.model, name)))
             builder = WidgetBuilder(name, value, self.errors.get(name, None))
             self.builders[name] = builder
             return builder
 
     def info(self, text, class_=CSS_CLASS_INFO_MESSAGE):
         if text:
-            return Tag('span', text, {
+            return Tag('span', html_escape(text), {
                 'class_': class_
             })
         else:

src/wheezy/html/markup.py

         return self.render(str_type)
 
     def __str__(self):
-        return self.render(str_type)
+        return self.render(str)
 
     def __repr__(self):
         return self.render(str)
         if self.attrs:
             for name, value in iteritems(self.attrs):
                 append(' ' + name.rstrip('_') +
-                        '="' + converter(value) + '"')
+                        '="' + value + '"')
         if self.inner is not None:
-            append('>')
-            append(converter(self.inner))
-            append('</' + self.name + '>')
+            append('>' + converter(self.inner) +
+                    '</' + self.name + '>')
         else:
             append(' />')
         return ''.join(parts)

src/wheezy/html/utils.py

+
+""" ``utils`` module.
+"""
+
+
+def html_escape(s):
+    """ Escapes a string so it is valid within HTML.
+
+        >>> html_escape('abc')
+        'abc'
+        >>> html_escape('&<>"\\'')
+        "&amp;&lt;&gt;&quot;\'"
+    """
+    return s.replace('&', '&amp;').replace('<', '&lt;'
+            ).replace('>', '&gt;').replace('"', '&quot;')

src/wheezy/html/widgets.py

 
 def checkbox(name, checked, attrs=None):
     """
-        >>> checkbox('accept', True)  #doctest: +NORMALIZE_WHITESPACE
+        >>> checkbox('accept', 'True')  #doctest: +NORMALIZE_WHITESPACE
         <input type="hidden" name="accept" /><input checked="checked"
             type="checkbox" id="accept" value="1" name="accept" />
-        >>> checkbox('accept', False)  #doctest: +NORMALIZE_WHITESPACE
+        >>> checkbox('accept', 'False')  #doctest: +NORMALIZE_WHITESPACE
         <input type="hidden" name="accept" /><input type="checkbox"
             id="accept" value="1" name="accept" />
 
-        >>> checkbox('accept', True,
+        >>> checkbox('accept', 'True',
         ...         attrs={'class_': 'b'})  #doctest: +NORMALIZE_WHITESPACE
         <input type="hidden" name="accept" /><input class="b"
             checked="checked" name="accept" type="checkbox"
             'type': 'checkbox',
             'value': '1'
     }
-    if checked:
+    if checked == 'True':
         tag_attrs['checked'] = 'checked'
     if attrs:
         tag_attrs.update(attrs)