changeset 2401:221478058d8a

template: improved attribute escaping, and added it to filters under the name "attr_escape"
author Goffi <goffi@goffi.org>
date Fri, 27 Oct 2017 18:13:25 +0200 (2017-10-27)
parents 8253ea069781
children f905dfe69fcc
files src/tools/common/template.py
diffstat 1 files changed, 4 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/tools/common/template.py	Fri Oct 27 18:11:20 2017 +0200
+++ b/src/tools/common/template.py	Fri Oct 27 18:13:25 2017 +0200
@@ -27,6 +27,7 @@
 import os.path
 from xml.sax.saxutils import quoteattr
 import time
+import re
 from babel import support
 from babel import Locale
 from babel.core import UnknownLocaleError
@@ -46,6 +47,7 @@
 
 HTML_EXT = ('html', 'xhtml')
 DEFAULT_LOCALE = u'en'
+RE_ATTR_ESCAPE = re.compile(r'[^a-z_-]')
 # TODO: handle external path (an additional search path for templates should be settable by user
 # TODO: handle absolute URL (should be used for trusted use cases) only (e.g. jp) for security reason
 
@@ -200,6 +202,7 @@
         self.env.filters['cur_gidx'] = self._cur_gidx
         self.env.filters['date_days'] = self._date_days
         self.env.filters['xmlui_class'] = self._xmlui_class
+        self.env.filters['attr_escape'] = self.attr_escape
         self.env.filters['adv_format'] = self._adv_format
 
     def installTranslations(self):
@@ -340,7 +343,7 @@
 
         remove spaces, and put in lower case
         """
-        return text.strip().lower().replace(' ', '_')
+        return RE_ATTR_ESCAPE.sub(u'_', text.strip().lower())[:50]
 
     def _xmlui_class(self, xmlui_item, fields):
         """return classes computed from XMLUI fields name