BF: escape the content of <matches> since its value could contain arbitrary symbols

2012-10-08 22:14:51 -04:00 · 2012-10-08 22:14:51 -04:00 · 83109bce14
parent 6ee2c0a014
commit 83109bce14
1 changed files with 15 additions and 3 deletions
--- a/server/action.py
+++ b/server/action.py
@ -230,7 +230,14 @@ class Action:
 	def execActionStop(self):
 		stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
 		return Action.executeCmd(stopCmd)
-	
+
+	def escapeTag(tag):
+		for c in '\\#&;`|*?~<>^()[]{}$\n':
+			if c in tag:
+				tag = tag.replace(c, '\\' + c)
+		return tag
+	escapeTag = staticmethod(escapeTag)
+
 	##
 	# Replaces tags in query with property values in aInfo.
 	#
@ -243,8 +250,13 @@ class Action:
 		""" Replace tags in query
 		"""
 		string = query
-		for tag in aInfo:
-			string = string.replace('<' + tag + '>', str(aInfo[tag]))
+		for tag, value in aInfo.iteritems():
+			value = str(value)			  # assure string
+			if tag == 'matches':
+				# That one needs to be escaped since its content is
+				# out of our control
+				value = escapeTag(value)
+			string = string.replace('<' + tag + '>', value)
 		# New line
 		string = string.replace("<br>", '\n')
 		return string