Commits

Georg Brandl committed b2c58e9

Fix #51: escape config variables in HTML templates.

Comments (0)

Files changed (6)

sphinx/templates/changes/frameset.html

   "http://www.w3.org/TR/html4/frameset.dtd">
 <html>
   <head>
-    <title>{% trans version=version, docstitle=docstitle %}Changes in Version {{ version }} &mdash; {{ docstitle }}{% endtrans %}</title>
+    <title>{% trans version=version|e, docstitle=docstitle|e %}Changes in Version {{ version }} &mdash; {{ docstitle }}{% endtrans %}</title>
   </head>
   <frameset cols="45%,*">
     <frame name="main" src="changes.html">

sphinx/templates/changes/rstsource.html

   "http://www.w3.org/TR/html4/loose.dtd">
 <html>
   <head>
-    <title>{% trans filename=filename, docstitle=docstitle %}{{ filename }} &mdash; {{ docstitle }}{% endtrans %}</title>
+    <title>{% trans filename=filename, docstitle=docstitle|e %}{{ filename }} &mdash; {{ docstitle }}{% endtrans %}</title>
     <style type="text/css">
       .hl { background-color: yellow }
     </style>

sphinx/templates/changes/versionchanges.html

   <head>
     <link rel="stylesheet" href="default.css">
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-    <title>{% trans version=version, docstitle=docstitle %}Changes in Version {{ version }} &mdash; {{ docstitle }}{% endtrans %}</title>
+    <title>{% trans version=version|e, docstitle=docstitle|e %}Changes in Version {{ version }} &mdash; {{ docstitle }}{% endtrans %}</title>
   </head>
   <body>
     <div class="document">
       <div class="body">
-    <h1>{% trans version=version %}Automatically generated list of changes in version {{ version }}{% endtrans %}</h1>
+    <h1>{% trans version=version|e %}Automatically generated list of changes in version {{ version }}{% endtrans %}</h1>
     <h2>{{ _('Library changes') }}</h2>
     {% for modname, changes in libchanges %}
     <h4>{{ modname }}</h4>

sphinx/templates/defindex.html

 {% extends "layout.html" %}
 {% set title = _('Overview') %}
 {% block body %}
-  <h1>{{ docstitle }}</h1>
+  <h1>{{ docstitle|e }}</h1>
   <p>
     Welcome! This is
-    {% block description %}the documentation for {{ project }}
-    {{ release }}{% if last_updated %}, last updated {{ last_updated }}{% endif %}{% endblock %}.
+    {% block description %}the documentation for {{ project|e }}
+    {{ release|e }}{% if last_updated %}, last updated {{ last_updated|e }}{% endif %}{% endblock %}.
   </p>
   {% block tables %}
   <p><strong>{{ _('Indices and tables:') }}</strong></p>

sphinx/templates/layout.html

           {%- if not loop.first %}{{ reldelim2 }}{% endif %}</li>
         {%- endfor %}
         {%- block rootrellink %}
-        <li><a href="{{ pathto(master_doc) }}">{{ shorttitle }}</a>{{ reldelim1 }}</li>
+        <li><a href="{{ pathto(master_doc) }}">{{ shorttitle|e }}</a>{{ reldelim1 }}</li>
         {%- endblock %}
         {%- for parent in parents %}
           <li><a href="{{ parent.link|e }}" accesskey="U">{{ parent.title }}</a>{{ reldelim1 }}</li>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     {{ metatags }}
     {%- if builder != 'htmlhelp' %}
-      {%- set titlesuffix = " &mdash; " + docstitle %}
+      {%- set titlesuffix = " &mdash; " + docstitle|e %}
     {%- endif %}
     <title>{{ title|striptags }}{{ titlesuffix }}</title>
     {%- if builder == 'web' %}
     <script type="text/javascript">
       var DOCUMENTATION_OPTIONS = {
           URL_ROOT:    '{{ pathto("", 1) }}',
-          VERSION:     '{{ release }}',
+          VERSION:     '{{ release|e }}',
           COLLAPSE_MODINDEX: false,
           FILE_SUFFIX: '{{ file_suffix }}'
       };
     {%- endfor %}
     {%- if use_opensearch %}
     <link rel="search" type="application/opensearchdescription+xml"
-          title="{% trans docstitle=docstitle%}Search within {{ docstitle }}{% endtrans %}"
+          title="{% trans docstitle=docstitle|e %}Search within {{ docstitle }}{% endtrans %}"
           href="{{ pathto('_static/opensearch.xml', 1) }}"/>
     {%- endif %}
     {%- if favicon %}
     {%- if hasdoc('copyright') %}
     <link rel="copyright" title="{{ _('Copyright') }}" href="{{ pathto('copyright') }}" />
     {%- endif %}
-    <link rel="top" title="{{ docstitle }}" href="{{ pathto('index') }}" />
+    <link rel="top" title="{{ docstitle|e }}" href="{{ pathto('index') }}" />
     {%- if parents %}
     <link rel="up" title="{{ parents[-1].title|striptags }}" href="{{ parents[-1].link|e }}" />
     {%- endif %}
 {%- block footer %}
     <div class="footer">
     {%- if hasdoc('copyright') %}
-      {% trans path=pathto('copyright'), copyright=copyright %}&copy; <a href="{{ path }}">Copyright</a> {{ copyright }}.{% endtrans %}
+      {% trans path=pathto('copyright'), copyright=copyright|e %}&copy; <a href="{{ path }}">Copyright</a> {{ copyright }}.{% endtrans %}
     {%- else %}
-      {% trans copyright=copyright %}&copy; Copyright {{ copyright }}.{% endtrans %}
+      {% trans copyright=copyright|e %}&copy; Copyright {{ copyright }}.{% endtrans %}
     {%- endif %}
     {%- if last_updated %}
-      {% trans last_updated %}Last updated on {{ last_updated }}.{% endtrans %}
+      {% trans last_updated=last_updated|e %}Last updated on {{ last_updated }}.{% endtrans %}
     {%- endif %}
     {%- if show_sphinx %}
-      {% trans sphinx_version=sphinx_version %}Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> {{ sphinx_version }}.{% endtrans %}
+      {% trans sphinx_version=sphinx_version|e %}Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> {{ sphinx_version }}.{% endtrans %}
     {%- endif %}
     </div>
 {%- endblock %}

sphinx/templates/opensearch.xml

 <?xml version="1.0" encoding="UTF-8"?>
 <OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
-  <ShortName>{{ project }}</ShortName>
-  <Description>{% trans docstitle=docstitle %}Search {{ docstitle }}{% endtrans %}</Description>
+  <ShortName>{{ project|e }}</ShortName>
+  <Description>{% trans docstitle=docstitle|e %}Search {{ docstitle }}{% endtrans %}</Description>
   <InputEncoding>utf-8</InputEncoding>
   <Url type="text/html" method="get"
        template="{{ use_opensearch }}/{{ pathto('search') }}?q={searchTerms}&amp;check_keywords=yes&amp;area=default"/>
-  <LongName>{{ docstitle }}</LongName>
+  <LongName>{{ docstitle|e }}</LongName>
 {% block extra %} {# Put e.g. an <Image> element here. #} {% endblock %}
 </OpenSearchDescription>