Browse Source

BF: escape the content of <matches> since its value could contain arbitrary symbols

pull/68/merge
Yaroslav Halchenko 12 years ago
parent
commit
83109bce14
  1. 16
      server/action.py

16
server/action.py

@ -231,6 +231,13 @@ class Action:
stopCmd = Action.replaceTag(self.__actionStop, self.__cInfo)
return Action.executeCmd(stopCmd)
def escapeTag(tag):
for c in '\\#&;`|*?~<>^()[]{}$\n':
if c in tag:
tag = tag.replace(c, '\\' + c)
return tag
escapeTag = staticmethod(escapeTag)
##
# Replaces tags in query with property values in aInfo.
#
@ -243,8 +250,13 @@ class Action:
""" Replace tags in query
"""
string = query
for tag in aInfo:
string = string.replace('<' + tag + '>', str(aInfo[tag]))
for tag, value in aInfo.iteritems():
value = str(value) # assure string
if tag == 'matches':
# That one needs to be escaped since its content is
# out of our control
value = escapeTag(value)
string = string.replace('<' + tag + '>', value)
# New line
string = string.replace("<br>", '\n')
return string

Loading…
Cancel
Save