# HG changeset patch
# User Goffi <goffi@goffi.org>
# Date 1450193119 -3600
# Node ID 9a48e09044eb82ff2051c157b9d004b5b780ba2f
# Parent  4c48468ead4c0762f5004550e405d3b778341646
plugin extra_pep, params: fixed insecure building of jids_list

diff -r 4c48468ead4c -r 9a48e09044eb src/memory/params.py
--- a/src/memory/params.py	Fri Dec 11 11:25:29 2015 +0100
+++ b/src/memory/params.py	Tue Dec 15 16:25:19 2015 +0100
@@ -27,6 +27,7 @@
 log = getLogger(__name__)
 from twisted.internet import defer
 from twisted.python.failure import Failure
+from twisted.words.xish import domish
 from twisted.words.protocols.jabber import jid
 from sat.tools.xml_tools import paramsXML2XMLUI, getText
 
@@ -35,6 +36,18 @@
 #       this need an overall simplification to make maintenance easier
 
 
+def createJidElts(jids):
+    """Generator which return <jid/> elements from jids
+
+    @param jids(iterable[id.jID]): jids to use
+    @return (generator[domish.Element]): <jid/> elements
+    """
+    for jid_ in jids:
+        jid_elt = domish.Element((None, 'jid'))
+        jid_elt.addContent(jid_.full())
+        yield jid_elt
+
+
 class Params(object):
     """This class manage parameters with xml"""
     ### TODO: add desciption in params
diff -r 4c48468ead4c -r 9a48e09044eb src/plugins/plugin_misc_extra_pep.py
--- a/src/plugins/plugin_misc_extra_pep.py	Fri Dec 11 11:25:29 2015 +0100
+++ b/src/plugins/plugin_misc_extra_pep.py	Tue Dec 15 16:25:19 2015 +0100
@@ -20,6 +20,8 @@
 from sat.core.i18n import _, D_
 from sat.core.log import getLogger
 log = getLogger(__name__)
+from sat.memory import params
+from twisted.words.protocols.jabber import jid
 
 
 PLUGIN_INFO = {
@@ -34,9 +36,11 @@
     "description": _(u"""Display messages from extra PEP services""")
 }
 
+
 PARAM_KEY = u"Misc"
 PARAM_NAME = u"Blog authors following list"
-PARAM_DEFAULT = ["salut-a-toi@libervia.org"]
+PARAM_DEFAULT = (jid.JID("salut-a-toi@libervia.org"),)
+
 
 class ExtraPEP(object):
 
@@ -55,7 +59,7 @@
         'category_label': D_(PARAM_KEY),
         'param_name': PARAM_NAME,
         'param_label': D_(PARAM_NAME),
-        'jids': "".join(["<jid>%s</jid>" % jid for jid in PARAM_DEFAULT])
+        'jids': u"\n".join({elt.toXml() for elt in params.createJidElts(PARAM_DEFAULT)})
     }
 
     def __init__(self, host):