Commit 493196ac authored by Jérome Perrin's avatar Jérome Perrin Committed by Kazuhiko Shiozaki

Document.asEntireHTML: set a content type when published

This method converts the HTML, so it should escape nasty HTML tags.

Also add missing escaping when inserting the base
parent ea10ec7f
...@@ -37,6 +37,7 @@ from Products.ERP5Type import Permissions, PropertySheet ...@@ -37,6 +37,7 @@ from Products.ERP5Type import Permissions, PropertySheet
from Products.ERP5Type.XMLObject import XMLObject from Products.ERP5Type.XMLObject import XMLObject
from Products.ERP5Type.Utils import deprecated, guessEncodingFromText from Products.ERP5Type.Utils import deprecated, guessEncodingFromText
from Products.ERP5Type.TransactionalVariable import getTransactionalVariable from Products.ERP5Type.TransactionalVariable import getTransactionalVariable
from Products.PythonScripts.standard import html_quote
from erp5.component.tool.ContributionTool import MAX_REPEAT from erp5.component.tool.ContributionTool import MAX_REPEAT
from Products.ZSQLCatalog.SQLCatalog import Query, NegatedQuery from Products.ZSQLCatalog.SQLCatalog import Query, NegatedQuery
from AccessControl import Unauthorized from AccessControl import Unauthorized
...@@ -818,7 +819,7 @@ class Document(DocumentExtensibleTraversableMixin, XMLObject, UrlMixin, ...@@ -818,7 +819,7 @@ class Document(DocumentExtensibleTraversableMixin, XMLObject, UrlMixin,
return str(subject) return str(subject)
security.declareProtected(Permissions.View, 'asEntireHTML') security.declareProtected(Permissions.View, 'asEntireHTML')
def asEntireHTML(self, **kw): def asEntireHTML(self, REQUEST=None, **kw):
""" """
Returns a complete HTML representation of the document Returns a complete HTML representation of the document
(with body tags, etc.). Adds if necessary a base (with body tags, etc.). Adds if necessary a base
...@@ -833,9 +834,11 @@ class Document(DocumentExtensibleTraversableMixin, XMLObject, UrlMixin, ...@@ -833,9 +834,11 @@ class Document(DocumentExtensibleTraversableMixin, XMLObject, UrlMixin,
# if base is defined yet. # if base is defined yet.
html = str(html) html = str(html)
if not html.find('<base') >= 0: if not html.find('<base') >= 0:
base = '<base href="%s"/>' % self.getContentBaseURL() base = '<base href="%s"/>' % html_quote(self.getContentBaseURL())
html = html.replace('<head>', '<head>%s' % base, 1) html = html.replace('<head>', '<head>%s' % base, 1)
self.setConversion(html, mime='text/html', format='base-html') self.setConversion(html, mime='text/html', format='base-html')
if REQUEST is not None:
REQUEST.RESPONSE.setHeader('Content-Type', 'text/html')
return html return html
security.declarePrivate('_asHTML') security.declarePrivate('_asHTML')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment