allura
| リビジョン | a490e18e37df8ccc60eb566731d82e4d2ebf937a (tree) |
|---|---|
| 日時 | 2012-01-25 14:38:25 |
| 作者 | Dave Brondsema <dbrondsema@geek...> |
| コミッター | Dave Brondsema |
[#3643] make readme rendering of plaintext safe
Signed-off-by: Dave Brondsema <dbrondsema@geek.net>
Allura/allura/lib/helpers.py (diff)
Allura/allura/templates/repo/tree.html (diff) Allura/allura/tests/test_helpers.py (diff)| @@ -25,6 +25,7 @@ from pylons import c, response, request | ||
| 25 | 25 | from tg.decorators import before_validate |
| 26 | 26 | from formencode.variabledecode import variable_decode |
| 27 | 27 | import formencode |
| 28 | +from jinja2 import Markup | |
| 28 | 29 | |
| 29 | 30 | from webhelpers import date, feedgenerator, html, number, misc, text |
| 30 | 31 |
| @@ -541,12 +542,14 @@ def paging_sanitizer(limit, page, total_count, zero_based_pages=True): | ||
| 541 | 542 | return limit, page |
| 542 | 543 | |
| 543 | 544 | def render_any_markup(name, text): |
| 545 | + """ | |
| 546 | + renders any markup format using the pypeline | |
| 547 | + Returns jinja-safe text | |
| 548 | + """ | |
| 544 | 549 | if text == '': |
| 545 | 550 | text = '<p><em>Empty File</em></p>' |
| 546 | 551 | else: |
| 547 | - renderer = pylons.g.pypeline_markup.renderer(name) | |
| 548 | - if renderer[1]: | |
| 549 | - text = pylons.g.pypeline_markup.render(name,text) | |
| 550 | - else: | |
| 552 | + text = pylons.g.pypeline_markup.render(name, text) | |
| 553 | + if not pylons.g.pypeline_markup.can_render(name): | |
| 551 | 554 | text = '<pre>%s</pre>' % text |
| 552 | - return text | |
| \ No newline at end of file | ||
| 555 | + return Markup(text) | |
| \ No newline at end of file |
| @@ -27,6 +27,6 @@ Tree <a href="{{commit.url()}}">{{commit.shorthand_id()}}</a> {{commit_labels(co | ||
| 27 | 27 | {% set name, text = tree.readme() %} |
| 28 | 28 | {% if name %} |
| 29 | 29 | <h1 id="readme">Read Me</h1> |
| 30 | - {{h.render_any_markup(name, text)|safe}} | |
| 30 | + {{h.render_any_markup(name, text)}} | |
| 31 | 31 | {% endif %} |
| 32 | 32 | {% endblock %} |
| @@ -114,5 +114,14 @@ def test_paging_sanitizer(): | ||
| 114 | 114 | for input, output in test_data.iteritems(): |
| 115 | 115 | assert (h.paging_sanitizer(*input)) == output |
| 116 | 116 | |
| 117 | -def test_render_any_markup(): | |
| 118 | - pass | |
| \ No newline at end of file | ||
| 117 | +def test_render_any_markup_empty(): | |
| 118 | + assert_equals(h.render_any_markup('foo', ''), '<p><em>Empty File</em></p>') | |
| 119 | + | |
| 120 | +def test_render_any_markup_plain(): | |
| 121 | + assert_equals(h.render_any_markup('readme.txt', '<b>blah</b>\n<script>alert(1)</script>\nfoo'), | |
| 122 | + '<pre><b>blah</b>\n<script>alert(1)</script>\nfoo</pre>') | |
| 123 | + | |
| 124 | +def test_render_any_markup_formatting(): | |
| 125 | + assert_equals(h.render_any_markup('README.md', '### foo\n<script>alert(1)</script> bar'), | |
| 126 | + '<h3>foo</h3>\n<p><script>alert(1)</script> bar</p>') | |
| 127 | + |
sado
Fork
allura