[#8536] use Markup's own interpolation
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index eadabd9..9cc3d86 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -99,17 +99,14 @@
# if text is too big, markdown can take a long time to process it,
# so we return it as a plain text
log.info('Text is too big. Skipping markdown processing')
- escaped = html.escape(h.really_unicode(source))
- return Markup('<pre>%s</pre>' % escaped)
+ return Markup('<pre>{}</pre>').format(h.really_unicode(source))
try:
return self.make_markdown_instance(**self.forge_ext_kwargs).convert(source)
except Exception:
log.info('Invalid markdown: %s Upwards trace is %s', source,
''.join(traceback.format_stack()), exc_info=True)
- escaped = h.really_unicode(source)
- escaped = html.escape(escaped)
return Markup("""<p><strong>ERROR!</strong> The markdown supplied could not be parsed correctly.
- Did you forget to surround a code snippet with "~~~~"?</p><pre>%s</pre>""" % escaped)
+ Did you forget to surround a code snippet with "~~~~"?</p><pre>%s</pre>""") % h.really_unicode(source)
@LazyProperty
def uncacheable_macro_regex(self):
@@ -471,10 +468,8 @@
lexer = pygments.lexers.get_lexer_by_name(lexer, encoding='chardet')
if lexer is None or len(text) >= asint(config.get('scm.view.max_syntax_highlight_bytes', 500000)):
- # no highlighting, but we should escape, encode, and wrap it in
- # a <pre>
- text = html.escape(text)
- return Markup('<pre>' + text + '</pre>')
+ # no highlighting, but we should wrap it in a <pre> safely
+ return Markup('<pre>{}</pre>').format(text)
else:
return Markup(pygments.highlight(text, lexer, formatter))
@@ -686,7 +681,7 @@
if tag == 'a':
attrs['href'] = '#'
attrs.update(kw)
- attrs = ew._Jinja2Widget().j2_attrs(attrs)
+ attrs = ew._Jinja2Widget().j2_attrs(attrs) # this escapes them
visible_title = ''
if show_title:
visible_title = f' {Markup.escape(title)}'
diff --git a/Allura/allura/lib/search.py b/Allura/allura/lib/search.py
index 27a29f7..3883847 100644
--- a/Allura/allura/lib/search.py
+++ b/Allura/allura/lib/search.py
@@ -409,4 +409,4 @@
map = {}
for m in models:
map[str(m._id)] = m
- return map
\ No newline at end of file
+ return map
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 683a7fc..0cf6b8c 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -211,10 +211,10 @@
class AntiSpam:
'''Helper class for bot-protecting forms'''
- honey_field_template = string.Template('''<p class="$honey_class">
- <label for="$fld_id">You seem to have CSS turned off.
+ honey_field_template = '''<p class="{honey_class}">
+ <label for="{fld_id}">You seem to have CSS turned off.
Please don't fill out this field.</label><br>
- <input id="$fld_id" name="$fld_name" type="text"><br></p>''')
+ <input id="{fld_id}" name="{fld_name}" type="text"><br></p>'''
def __init__(self, request=None, num_honey=2, timestamp=None, spinner=None):
self.num_honey = num_honey
@@ -307,10 +307,10 @@
for fldno in range(self.num_honey):
fld_name = self.enc('honey%d' % (fldno))
fld_id = self.enc('honey%d%d' % (self.counter, fldno))
- yield Markup(self.honey_field_template.substitute(
+ yield Markup(self.honey_field_template).format(
honey_class=self.honey_class,
fld_id=fld_id,
- fld_name=fld_name))
+ fld_name=fld_name)
self.counter += 1
def make_spinner(self, timestamp=None):
diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py
index 5252819..134cd6f 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -102,8 +102,7 @@
or ctx.get('label')
or getattr(field, 'label', None)
or ctx['name'])
- html = '<label for="{}">{}</label>'.format(html_escape(ctx['id']), html_escape(label_text))
- return Markup(html)
+ return Markup('<label for="{}">{}</label>').format(ctx['id'], label_text)
def context_for(self, field):
ctx = super().context_for(field)
@@ -115,9 +114,8 @@
ctx = self.context_for(field)
display = field.display(**ctx)
if ctx['errors'] and field.show_errors and not ignore_errors:
- display = "{}<div class='error'>{}</div>".format(display,
- ctx['errors'])
- return Markup(display)
+ display += Markup("<div class='error'>{}</div>").format(ctx['errors'])
+ return display
class ForgeFormResponsive(ForgeForm):
@@ -852,18 +850,18 @@
def display_field(self, field, ignore_errors=False):
if field.name == "css" and self.list_color_inputs:
- display = '<table class="table_class">'
+ display = Markup('<table class="table_class">')
ctx = self.context_for(field)
for inp in self.color_inputs:
additional_inputs = inp.get('additional', '')
empty_val = False
if inp['value'] is None or inp['value'] == '':
empty_val = True
- display += '<tr><td class="left"><label>%(label)s</label></td>' \
- '<td><input type="checkbox" name="%(ctx_name)s-%(inp_name)s-def" %(def_checked)s>default</td>' \
- '<td class="right"><div class="%(ctx_name)s-%(inp_name)s-inp"><table class="input_inner">' \
- '<tr><td><input type="text" class="%(inp_type)s" name="%(ctx_name)s-%(inp_name)s" ' \
- 'value="%(inp_value)s"></td><td>%(inp_additional)s</td></tr></table></div></td></tr>\n' % {
+ display += Markup('<tr><td class="left"><label>%(label)s</label></td>'
+ '<td><input type="checkbox" name="%(ctx_name)s-%(inp_name)s-def" %(def_checked)s>default</td>'
+ '<td class="right"><div class="%(ctx_name)s-%(inp_name)s-inp"><table class="input_inner">'
+ '<tr><td><input type="text" class="%(inp_type)s" name="%(ctx_name)s-%(inp_name)s" '
+ 'value="%(inp_value)s"></td><td>%(inp_additional)s</td></tr></table></div></td></tr>\n') % {
'ctx_name': ctx['name'],
'inp_name': inp['name'],
'inp_value': inp['value'],
@@ -871,13 +869,12 @@
'inp_type': inp['type'],
'def_checked': 'checked="checked"' if empty_val else '',
'inp_additional': additional_inputs}
- display += '</table>'
+ display += Markup('</table>')
if ctx['errors'] and field.show_errors and not ignore_errors:
- display = "{}<div class='error'>{}</div>".format(display,
- ctx['errors'])
+ display += Markup("<div class='error'>{}</div>").format(ctx['errors'])
- return Markup(display)
+ return display
else:
return super().display_field(field, ignore_errors)
diff --git a/Allura/allura/tasks/mail_tasks.py b/Allura/allura/tasks/mail_tasks.py
index 8aae497..dd16f7c 100644
--- a/Allura/allura/tasks/mail_tasks.py
+++ b/Allura/allura/tasks/mail_tasks.py
@@ -48,7 +48,7 @@
<meta itemprop="name" content="View"></meta>
</div>
<meta itemprop="description" content="View"></meta>
- </div>""" % metalink)
+ </div>""") % metalink
@task
diff --git a/Allura/allura/tests/test_globals.py b/Allura/allura/tests/test_globals.py
index 472c1f3..27a2ba2 100644
--- a/Allura/allura/tests/test_globals.py
+++ b/Allura/allura/tests/test_globals.py
@@ -441,6 +441,7 @@
text = 'a' * 40001
assert g.markdown.convert(text) == '<pre>%s</pre>' % text
assert g.markdown_wiki.convert(text) == '<pre>%s</pre>' % text
+ assert g.markdown.convert('<b>' + text) == '<pre><b>%s</pre>' % text
def test_markdown_basics(self):
with h.push_context('test', 'wiki', neighborhood='Projects'):
diff --git a/ForgeActivity/forgeactivity/templates/macros.html b/ForgeActivity/forgeactivity/templates/macros.html
index 8b08adb..970da40 100644
--- a/ForgeActivity/forgeactivity/templates/macros.html
+++ b/ForgeActivity/forgeactivity/templates/macros.html
@@ -66,4 +66,4 @@
</ul>
<a class="view-all" href="{{activity_app.url}}">View All</a>
{% endif %}
-{%- endmacro %}
\ No newline at end of file
+{%- endmacro %}
diff --git a/ForgeTracker/forgetracker/model/ticket.py b/ForgeTracker/forgetracker/model/ticket.py
index bc6910d..de099a3 100644
--- a/ForgeTracker/forgetracker/model/ticket.py
+++ b/ForgeTracker/forgetracker/model/ticket.py
@@ -679,7 +679,7 @@
def link_text(self):
text = super().link_text()
if self.is_closed:
- return markupsafe.Markup('<s>') + text + markupsafe.Markup('</s>')
+ return markupsafe.Markup('<s>{}</s>').format(text)
return text
@property
diff --git a/ForgeTracker/forgetracker/widgets/ticket_form.py b/ForgeTracker/forgetracker/widgets/ticket_form.py
index 1781eb8..7b960c1 100644
--- a/ForgeTracker/forgetracker/widgets/ticket_form.py
+++ b/ForgeTracker/forgetracker/widgets/ticket_form.py
@@ -79,7 +79,7 @@
display = field.display(**ctx)
if ctx['errors'] and field.show_errors and not ignore_errors:
- display += Markup("<div class='error'>") + ctx['errors'] + Markup("</div>")
+ display += Markup("<div class='error'>{}</div>").format(ctx['errors'])
return display
def _add_current_value_to_user_field(self, field, user):