changeset 368:97c5a9092bee

browser_side: escape the microblog titles when they are displayed
author souliane <souliane@mailoo.org>
date Sun, 23 Feb 2014 15:00:42 +0100
parents 764c32ecb754
children 678d1739bbf2
files browser_side/richtext.py
diffstat 1 files changed, 2 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/browser_side/richtext.py	Sat Feb 22 08:25:42 2014 +0100
+++ b/browser_side/richtext.py	Sun Feb 23 15:00:42 2014 +0100
@@ -33,6 +33,7 @@
 from dialog import ConfirmDialog, InfoDialog
 from base_panels import TitlePanel, BaseTextEditor, LightTextEditor
 from list_manager import ListManager
+from tools import html_sanitize
 import panels
 
 from sat_frontends.tools import composition
@@ -313,7 +314,7 @@
                 # set the display text in XHTML only during init because a new MicroblogEntry instance is created after each modification
                 text = content['text']
                 if 'title' in content and content['title']:
-                    text = '<h1>%s</h1>%s' % (content['title'], content['text'])
+                    text = '<h1>%s</h1>%s' % (html_sanitize(content['title']), content['text'])
                 self.display.setContent({'text': text})
             self.display.edit(False)