openlp-core team mailing list archive

[mahfiaz <mahfiaz@xxxxxxxxx>]

mahfiaz has proposed merging lp:~mahfiaz/openlp/bug-908197 into lp:openlp.

Requested reviews:
  OpenLP Core (openlp-core)
Related bugs:
  Bug #908197 in OpenLP: "HTML tags not escaped in alert message"
  https://bugs.launchpad.net/openlp/+bug/908197

For more details, see:
https://code.launchpad.net/~mahfiaz/openlp/bug-908197/+merge/86827

Converts <> marks to &lt;&gt; to make it impossible to insert HTML to alert message.
-- 
https://code.launchpad.net/~mahfiaz/openlp/bug-908197/+merge/86827
Your team OpenLP Core is requested to review the proposed merge of lp:~mahfiaz/openlp/bug-908197 into lp:openlp.

=== modified file 'openlp/core/ui/maindisplay.py'
--- openlp/core/ui/maindisplay.py	2011-12-22 21:36:22 +0000
+++ openlp/core/ui/maindisplay.py	2011-12-23 19:20:31 +0000
@@ -240,12 +240,14 @@
             not self.isVisible():
             shrink = True
             js = u'show_alert("%s", "%s")' % (
-                text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"'),
+                text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')
+                .replace(u'<', u'&lt;').replace(u'>', u'&gt;'),
                 u'top')
         else:
             shrink = False
             js = u'show_alert("%s", "")' % (
-                text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"'))
+                text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')
+                .replace(u'<', u'&lt;').replace(u'>', u'&gt;'))
         height = self.frame.evaluateJavaScript(js)
         if shrink:
             if text: