[Zope3-checkins] SVN: Zope3/branches/3.3/ - zope.app.form.browser.textwidgets: The TextAreaWidget was not escaping

Christian Zagrodnick cz at gocept.com
Wed Mar 7 05:49:27 EST 2007


Log message for revision 73026:
  - zope.app.form.browser.textwidgets: The TextAreaWidget was not escaping
    its content when the validation failed. This way <, > and & were put
    out unquoted.
  
  backport from 3.4
  
  

Changed:
  U   Zope3/branches/3.3/doc/CHANGES.txt
  U   Zope3/branches/3.3/src/zope/app/form/browser/textwidgets.py
  U   Zope3/branches/3.3/src/zope/app/form/browser/widget.py
  U   Zope3/branches/3.3/src/zope/app/rotterdam/editingwidgets.py

-=-
Modified: Zope3/branches/3.3/doc/CHANGES.txt
===================================================================
--- Zope3/branches/3.3/doc/CHANGES.txt	2007-03-07 10:44:01 UTC (rev 73025)
+++ Zope3/branches/3.3/doc/CHANGES.txt	2007-03-07 10:49:25 UTC (rev 73026)
@@ -10,6 +10,13 @@
 
     Bugfixes
 
+      - zope.app.form.browser.textwidgets: The TextAreaWidget was not escaping
+        its content when the validation failed. This way <, > and & were put
+        out unquoted.
+
+      - Fixed bug #721: Handling of empty prefixes in zope.formlib and
+        zope.app.form
+
       - Fixed zope.app.cache.ram.RAMCache which ignored the
         cleanupinterval.
 

Modified: Zope3/branches/3.3/src/zope/app/form/browser/textwidgets.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/form/browser/textwidgets.py	2007-03-07 10:44:01 UTC (rev 73025)
+++ Zope3/branches/3.3/src/zope/app/form/browser/textwidgets.py	2007-03-07 10:49:25 UTC (rev 73026)
@@ -286,6 +286,48 @@
       name="field.foo"
       rows="15"
       >&lt;h1&gt;&amp;copy;&lt;/h1&gt;</textarea>
+
+    There was a but which caused the content of <textarea> tags not to be
+    rendered correctly when there was a conversion error. Make sure the quoting
+    works correctly::
+
+    >>> from zope.schema import Text
+    >>> field = Text(__name__='description', title=u'Description')
+
+    >>> from zope.app.form.interfaces import ConversionError
+    >>> class TestTextAreaWidget(TextAreaWidget):
+    ...     def _toFieldValue(self, input):
+    ...         if 'foo' in input:
+    ...             raise ConversionError("I don't like foo.")
+    ...         return input
+    ...
+
+    >>> request = TestRequest(form={'field.description': u'<p>bar</p>'})
+    >>> widget = TestTextAreaWidget(field, request)
+    >>> widget.getInputValue()
+    u'<p>bar</p>'
+    >>> print normalize( widget() )
+    <textarea
+      cols="60"
+      id="field.description"
+      name="field.description"
+      rows="15"
+      >&lt;p&gt;bar&lt;/p&gt;</textarea>
+
+    >>> request = TestRequest(form={'field.description': u'<p>foo</p>'})
+    >>> widget = TestTextAreaWidget(field, request)
+    >>> try:
+    ...     widget.getInputValue()
+    ... except ConversionError, error:
+    ...     print error.doc()
+    I don't like foo.
+    >>> print normalize( widget() )
+    <textarea
+      cols="60"
+      id="field.description"
+      name="field.description"
+      rows="15"
+      >&lt;p&gt;foo&lt;/p&gt;</textarea>
     """
 
     default = ""
@@ -309,7 +351,6 @@
         value = super(TextAreaWidget, self)._toFormValue(value)
         if value:
             value = value.replace("\n", "\r\n")
-            value = escape(value)
         else:
             value = u''
 
@@ -323,7 +364,7 @@
                              rows=self.height,
                              cols=self.width,
                              style=self.style,
-                             contents=self._getFormValue(),
+                             contents=escape(self._getFormValue()),
                              extra=self.extra)
 
 class BytesAreaWidget(Bytes, TextAreaWidget):

Modified: Zope3/branches/3.3/src/zope/app/form/browser/widget.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/form/browser/widget.py	2007-03-07 10:44:01 UTC (rev 73025)
+++ Zope3/branches/3.3/src/zope/app/form/browser/widget.py	2007-03-07 10:49:25 UTC (rev 73026)
@@ -269,7 +269,7 @@
         >>> widget()
         u'<input class="textType" id="field.price" name="field.price" type="text" value="32.00"  />'
 
-        >>> request = TestRequest(form={'field.price': u'foo'})
+        >>> request = TestRequest(form={'field.price': u'<p>foo</p>'})
         >>> widget = FloatWidget(field, request)
         >>> try:
         ...     widget.getInputValue()
@@ -277,7 +277,7 @@
         ...     print error.doc()
         Invalid floating point data
         >>> widget()
-        u'<input class="textType" id="field.price" name="field.price" type="text" value="foo"  />'
+        u'<input class="textType" id="field.price" name="field.price" type="text" value="&lt;p&gt;foo&lt;/p&gt;"  />'
 
 
     >>> tearDown()
@@ -376,7 +376,7 @@
 
     def _getCurrentValueHelper(self):
         """Helper to get the current input value.
-        
+
         Raises InputErrors if the data could not be validated/converted.
         """
         input_value = None

Modified: Zope3/branches/3.3/src/zope/app/rotterdam/editingwidgets.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/rotterdam/editingwidgets.py	2007-03-07 10:44:01 UTC (rev 73025)
+++ Zope3/branches/3.3/src/zope/app/rotterdam/editingwidgets.py	2007-03-07 10:49:25 UTC (rev 73026)
@@ -18,7 +18,7 @@
 from zope.interface import implements
 from zope.app.form.interfaces import IInputWidget
 from zope.app.form.browser import TextAreaWidget
-from zope.app.form.browser.widget import renderElement
+from zope.app.form.browser.widget import renderElement, escape
 from zope.app.pagetemplate.viewpagetemplatefile import ViewPageTemplateFile
 
 class SimpleEditingWidget(TextAreaWidget):
@@ -112,7 +112,7 @@
                              rows=self.height,
                              cols=self.width,
                              style=self.style,
-                             contents=self._getFormValue(),
+                             contents=escape(self._getFormValue()),
                              extra=self.extra)
 
     def contents(self):



More information about the Zope3-Checkins mailing list