[checkmk-commits] Check_MK Git: check_mk: Trying to escape some more vars in generic places - hopefully leaves most things working

Module: check_mk Branch: master Commit: 2a84188258a2de48e589a04b89d653ac9d8e77f3 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2a84188258a2de… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Tue Oct 22 16:32:18 2013 +0200 Trying to escape some more vars in generic places - hopefully leaves most things working --- web/htdocs/htmllib.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index 0be74f0..c26a0da 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -163,11 +163,13 @@ class html: else: enctype = '' if onsubmit: - onsubmit = ' onsubmit="%s"' % onsubmit + onsubmit = ' onsubmit="%s"' % self.attrencode(onsubmit) else: onsubmit = '' + enc_name = self.attrencode(name) self.write('<form id="form_%s" name="%s" class="%s" action="%s" method="%s"%s%s>\n' % - (name, name, name, action, method, enctype, onsubmit)) + (enc_name, enc_name, enc_name, self.attrencode(action), self.attrencode(method), + enctype, onsubmit)) self.hidden_field("filled_in", name) if add_transid: self.hidden_field("_transid", str(self.fresh_transid())) @@ -199,7 +201,7 @@ class html: def hidden_field(self, var, value, id = None, add_var = False): if value != None: - id = id and ' id="%s"' % id or '' + id = id and ' id="%s"' % self.attrencode(id) or '' self.write("<input type=\"hidden\" name=\"%s\" value=\"%s\"%s />" % (self.attrencode(var), self.attrencode(value), id)) if add_var: @@ -254,7 +256,7 @@ class html: def image_button(self, varname, title, cssclass = ''): if not self.mobile: - self.write('<label for="%s" class="image_button">' % varname) + self.write('<label for="%s" class="image_button">' % self.attrencode(varname)) self.raw_button(varname, title, cssclass) if not self.mobile: self.write('</label>') @@ -483,7 +485,8 @@ class html: for value, text in options: if value == None: value = "" sel = value == current and " selected" or "" - self.write("<option value=\"%s\"%s>%s</option>\n" % (value, sel, text)) + self.write("<option value=\"%s\"%s>%s</option>\n" % + (self.attrencode(value), sel, self.attrencode(text))) self.write("</select>\n") if varname: self.form_vars.append(varname) @@ -496,7 +499,8 @@ class html: if value == None: value = "" sel = value == current and " selected" or "" self.write('<option style="background-image:url(images/icon_%s.png);" ' - 'value=\"%s\"%s>%s</option>\n' % (icon, value, sel, text)) + 'value=\"%s\"%s>%s</option>\n' % + (icon, self.attrencode(value), sel, self.attrencode(text))) self.write("</select>\n") if varname: self.form_vars.append(varname) @@ -518,12 +522,12 @@ class html: checked = self.var(varname) == value checked_text = checked and " checked" or "" if label: - id = "rb_%s_%s" % (varname, value) + id = "rb_%s_%s" % (varname, self.attrencode(value)) idtxt = ' id="%s"' % id else: idtxt = "" self.write("<input type=radio name=%s value=\"%s\"%s%s>\n" % - (varname, value, checked_text, idtxt)) + (varname, self.attrencode(value), checked_text, idtxt)) if label: self.write('<label for="%s">%s</label>\n' % (id, label)) self.form_vars.append(varname)