[Zope3-checkins] SVN: Zope3/trunk/ The TextAreaWidget was not escaping its content when the validation failed.

Christian Zagrodnick cz at gocept.com
Thu Mar 1 05:15:14 EST 2007


Log message for revision 72946:
  The TextAreaWidget was not escaping its content when the validation failed.
  This way <, > and & were put out unquoted.
  
  

Changed:
  U   Zope3/trunk/doc/CHANGES.txt
  U   Zope3/trunk/src/zope/app/form/browser/textwidgets.py
  U   Zope3/trunk/src/zope/app/form/browser/widget.py
  U   Zope3/trunk/src/zope/app/rotterdam/editingwidgets.py

-=-
Modified: Zope3/trunk/doc/CHANGES.txt
===================================================================
--- Zope3/trunk/doc/CHANGES.txt	2007-03-01 08:58:41 UTC (rev 72945)
+++ Zope3/trunk/doc/CHANGES.txt	2007-03-01 10:15:12 UTC (rev 72946)
@@ -185,6 +185,10 @@
 
     Bug fixes
 
+     -  zope.app.form.browser.textwidgets: The TextAreaWidget was not escaping
+        its content when the validation failed. This way <, > and & were put
+        out unquoted.
+
       - zope.app.interface: Fix PersistentInterfaceClass
         (http://www.zope.org/Collectors/Zope3-dev/747)
 

Modified: Zope3/trunk/src/zope/app/form/browser/textwidgets.py
===================================================================
--- Zope3/trunk/src/zope/app/form/browser/textwidgets.py	2007-03-01 08:58:41 UTC (rev 72945)
+++ Zope3/trunk/src/zope/app/form/browser/textwidgets.py	2007-03-01 10:15:12 UTC (rev 72946)
@@ -287,6 +287,48 @@
       name="field.foo"
       rows="15"
       >&lt;h1&gt;&amp;copy;&lt;/h1&gt;</textarea>
+
+    There was a but which caused the content of <textarea> tags not to be
+    rendered correctly when there was a conversion error. Make sure the quoting
+    works correctly::
+
+    >>> from zope.schema import Text
+    >>> field = Text(__name__='description', title=u'Description')
+
+    >>> from zope.app.form.interfaces import ConversionError
+    >>> class TestTextAreaWidget(TextAreaWidget):
+    ...     def _toFieldValue(self, input):
+    ...         if 'foo' in input:
+    ...             raise ConversionError("I don't like foo.")
+    ...         return input
+    ...
+
+    >>> request = TestRequest(form={'field.description': u'<p>bar</p>'})
+    >>> widget = TestTextAreaWidget(field, request)
+    >>> widget.getInputValue()
+    u'<p>bar</p>'
+    >>> print normalize( widget() )
+    <textarea
+      cols="60"
+      id="field.description"
+      name="field.description"
+      rows="15"
+      >&lt;p&gt;bar&lt;/p&gt;</textarea>
+
+    >>> request = TestRequest(form={'field.description': u'<p>foo</p>'})
+    >>> widget = TestTextAreaWidget(field, request)
+    >>> try:
+    ...     widget.getInputValue()
+    ... except ConversionError, error:
+    ...     print error.doc()
+    I don't like foo.
+    >>> print normalize( widget() )
+    <textarea
+      cols="60"
+      id="field.description"
+      name="field.description"
+      rows="15"
+      >&lt;p&gt;foo&lt;/p&gt;</textarea>
     """
 
     default = ""
@@ -310,7 +352,6 @@
         value = super(TextAreaWidget, self)._toFormValue(value)
         if value:
             value = value.replace("\n", "\r\n")
-            value = escape(value)
         else:
             value = u''
 
@@ -324,7 +365,7 @@
                              rows=self.height,
                              cols=self.width,
                              style=self.style,
-                             contents=self._getFormValue(),
+                             contents=escape(self._getFormValue()),
                              extra=self.extra)
 
 class BytesAreaWidget(Bytes, TextAreaWidget):

Modified: Zope3/trunk/src/zope/app/form/browser/widget.py
===================================================================
--- Zope3/trunk/src/zope/app/form/browser/widget.py	2007-03-01 08:58:41 UTC (rev 72945)
+++ Zope3/trunk/src/zope/app/form/browser/widget.py	2007-03-01 10:15:12 UTC (rev 72946)
@@ -269,7 +269,7 @@
         >>> widget()
         u'<input class="textType" id="field.price" name="field.price" type="text" value="32.00"  />'
 
-        >>> request = TestRequest(form={'field.price': u'foo'})
+        >>> request = TestRequest(form={'field.price': u'<p>foo</p>'})
         >>> widget = FloatWidget(field, request)
         >>> try:
         ...     widget.getInputValue()
@@ -277,7 +277,7 @@
         ...     print error.doc()
         Invalid floating point data
         >>> widget()
-        u'<input class="textType" id="field.price" name="field.price" type="text" value="foo"  />'
+        u'<input class="textType" id="field.price" name="field.price" type="text" value="&lt;p&gt;foo&lt;/p&gt;"  />'
 
 
     >>> tearDown()
@@ -376,7 +376,7 @@
 
     def _getCurrentValueHelper(self):
         """Helper to get the current input value.
-        
+
         Raises InputErrors if the data could not be validated/converted.
         """
         input_value = None

Modified: Zope3/trunk/src/zope/app/rotterdam/editingwidgets.py
===================================================================
--- Zope3/trunk/src/zope/app/rotterdam/editingwidgets.py	2007-03-01 08:58:41 UTC (rev 72945)
+++ Zope3/trunk/src/zope/app/rotterdam/editingwidgets.py	2007-03-01 10:15:12 UTC (rev 72946)
@@ -21,7 +21,7 @@
 
 from zope.app.form.interfaces import IInputWidget
 from zope.app.form.browser import TextAreaWidget
-from zope.app.form.browser.widget import renderElement
+from zope.app.form.browser.widget import renderElement, escape
 from zope.app.pagetemplate.viewpagetemplatefile import ViewPageTemplateFile
 
 
@@ -116,7 +116,7 @@
                              rows=self.height,
                              cols=self.width,
                              style=self.style,
-                             contents=self._getFormValue(),
+                             contents=escape(self._getFormValue()),
                              extra=self.extra)
 
     def contents(self):



More information about the Zope3-Checkins mailing list