From 83109bce144f443a48ef31165a5389b7b83f4e0e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 8 Oct 2012 22:14:51 -0400 Subject: [PATCH] BF: escape the content of since its value could contain arbitrary symbols --- server/action.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/server/action.py b/server/action.py index faf50653a..387c115cf 100644 --- a/server/action.py +++ b/server/action.py @@ -230,7 +230,14 @@ class Action: def execActionStop(self): stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo) return Action.executeCmd(stopCmd) - + + def escapeTag(tag): + for c in '\\#&;`|*?~<>^()[]{}$\n': + if c in tag: + tag = tag.replace(c, '\\' + c) + return tag + escapeTag = staticmethod(escapeTag) + ## # Replaces tags in query with property values in aInfo. # @@ -243,8 +250,13 @@ class Action: """ Replace tags in query """ string = query - for tag in aInfo: - string = string.replace('<' + tag + '>', str(aInfo[tag])) + for tag, value in aInfo.iteritems(): + value = str(value) # assure string + if tag == 'matches': + # That one needs to be escaped since its content is + # out of our control + value = escapeTag(value) + string = string.replace('<' + tag + '>', value) # New line string = string.replace("
", '\n') return string