pombreda / formalchemy

Automatically exported from code.google.com/p/formalchemy
MIT License
0 stars 0 forks source link

No HTML escaping when rendering readonly grid #119

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. create pylons project with type pylons_fa
2. create some models
3. create and render readonly grid for some model while some record has
special html chars in some string/unicode field.

What is the expected output? What do you see instead?
special html chars must be escaped, but they ain't

What version of the product are you using? On what operating system?
openSuSE 11.1, Python 2.6, Pylons 0.9.7, SQLAlchemy 0.5.6, FormAlchemy 1.2.3.

Please provide any additional information below.
since pylons 0.9.7 (not 0.9.6) ${...} in mako templates are escaped by
default. Issue can be fixed by modifying
%(here)s/myproject/templates/grid_readonly.mako:
15c15
<     <td>${field.render_readonly()|n}</td>

---
>     <td>${field.render_readonly()}</td>

Original issue reported on code.google.com by mihail.l...@gmail.com on 25 Sep 2009 at 9:10

Attachments:

GoogleCodeExporter commented 9 years ago
Sorry, this fix affects admin interface ('edit' and 'delete' links become 
escaped too) :(

Original comment by mihail.l...@gmail.com on 25 Sep 2009 at 9:16

GoogleCodeExporter commented 9 years ago
Yes, the escaping must be done in field rendering

If the problem occur with one of fa's renderer then fill a new issue with this. 
else,
fix your own :)

Original comment by gael.pas...@gmail.com on 25 Sep 2009 at 10:01

GoogleCodeExporter commented 9 years ago
OK, this is not an issue, let it be feature :)
Then, i need an advice:
- if I render with ${field.render_readonly()|n} I get HTML injection in table 
data cells;
- with ${field.render_readonly()} I can't get 'edit|delete|view' links in 
additional
cells. should I set any attribute to 'field' to tell FA that value is safe? 
(I'm glad
to migrate from Django to Pylons; although, in Django I could set 'is_safe' 
attribute
to any str variable to avoid escaping).
Any advice is greatly appreciated!

Original comment by mihail.l...@gmail.com on 27 Sep 2009 at 4:13