openlp-core team mailing list archive

Thread
Date

[Merge] lp:~mahfiaz/openlp/bug-908197 into lp:openlp

To: mp+87305@xxxxxxxxxxxxxxxxxx, Raoul Snyman <raoul.snyman@xxxxxxxxxxxxxxxxxxxxxxxx>
From: mahfiaz <mahfiaz@xxxxxxxxx>
Date: Mon, 02 Jan 2012 23:49:25 -0000
Reply-to: mp+87305@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

mahfiaz has proposed merging lp:~mahfiaz/openlp/bug-908197 into lp:openlp.

Requested reviews:
  Jonathan Corwin (j-corwin)
  Tim Bentley (trb143)
  Raoul Snyman (raoul-snyman)
Related bugs:
  Bug #908197 in OpenLP: "HTML tags not escaped in alert message"
  https://bugs.launchpad.net/openlp/+bug/908197
  Bug #911047 in OpenLP: "Formatting tags for alerts"
  https://bugs.launchpad.net/openlp/+bug/911047

For more details, see:
https://code.launchpad.net/~mahfiaz/openlp/bug-908197/+merge/87305

Converts <> marks to &lt;&gt; and & to &amp; to make it impossible to insert HTML to alert message. Also enable the use of formatting tags in alerts.
-- 
https://code.launchpad.net/~mahfiaz/openlp/bug-908197/+merge/87305
Your team OpenLP Core is subscribed to branch lp:openlp.

=== modified file 'openlp/core/ui/maindisplay.py'
--- openlp/core/ui/maindisplay.py	2011-12-29 17:50:42 +0000
+++ openlp/core/ui/maindisplay.py	2012-01-02 23:48:27 +0000
@@ -28,6 +28,7 @@
 The :mod:`maindisplay` module provides the functionality to display screens
 and play multimedia within OpenLP.
 """
+import cgi
 import logging
 import os
 import sys
@@ -36,7 +37,7 @@
 from PyQt4.phonon import Phonon
 
 from openlp.core.lib import Receiver, build_html, ServiceItem, image_to_byte, \
-    translate, PluginManager
+    translate, PluginManager, expand_tags
 
 from openlp.core.ui import HideMode, ScreenList, AlertLocation
 
@@ -236,16 +237,17 @@
             The text to be displayed.
         """
         log.debug(u'alert to display')
+        # First we convert <>& marks to html variants, then apply
+        # formattingtags, finally we double all backslashes for JavaScript.
+        text_prepared = expand_tags(cgi.escape(text)) \
+            .replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')
         if self.height() != self.screen[u'size'].height() or \
             not self.isVisible():
             shrink = True
-            js = u'show_alert("%s", "%s")' % (
-                text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"'),
-                u'top')
+            js = u'show_alert("%s", "%s")' % (text_prepared, u'top')
         else:
             shrink = False
-            js = u'show_alert("%s", "")' % (
-                text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"'))
+            js = u'show_alert("%s", "")' % text_prepared
         height = self.frame.evaluateJavaScript(js)
         if shrink:
             if text:

Follow ups

[Merge] lp:~mahfiaz/openlp/bug-908197 into lp:openlp
From: noreply, 2012-01-06
[Merge] lp:~mahfiaz/openlp/bug-908197 into lp:openlp
From: Tim Bentley, 2012-01-06
Re: [Merge] lp:~mahfiaz/openlp/bug-908197 into lp:openlp
From: Jonathan Corwin, 2012-01-06
Re: [Merge] lp:~mahfiaz/openlp/bug-908197 into lp:openlp
From: Tim Bentley, 2012-01-03