- Always unescape element contents on webdav.xmltools - Use saxutils to escape/unescape values for/from PROPFIND/PROPPATCH. - Make OFS.PropertySheet use the escaping function from webdav.xmltools. - Escape/unescape " and ' - Set a default value of '' for the new 'alt' property as not to break existing content.

45e5350a · Sidnei da Silva · df259636 · 45e5350a · 45e5350a · 45e5350a
Commit 45e5350a authored Nov 02, 2004 by Sidnei da Silva
4 changed files
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -30,20 +30,33 @@ Zope Changes
        the docutils package except some GPLed files which can not be included
        with the Zope distribution due to license constraints on svn.zope.org.
-      - docutils: moved from lib/python/docutils to 
+      - docutils: moved from lib/python/docutils to
-        lib/python/third_party/docutils 
+        lib/python/third_party/docutils
      - Collector #1557/OFS.Image: Introducing new 'alt' property. The 'alt'
        attribute is no longer taken from the 'title' property but from the new
-        'alt' property.  The border="0" attribute is no longer part of the HTML 
+        'alt' property.  The border="0" attribute is no longer part of the HTML
        output except specified otherwise.
-      - Collector #1511: made IPCServer show up in the Control Panel under 
+      - Set a default value of '' for the new 'alt' property as not to
+        break existing content.
+      - Collector #1511: made IPCServer show up in the Control Panel under
        "Network Services"
-      - Collector #1443: Applied patch by Simon Eisenmann that reimplements 
+      - Collector #1443: Applied patch by Simon Eisenmann that reimplements
        the XML parser used in WebDAV fixing a memory leak.
+      - Always unescape element contents on webdav.xmltools
+      - Use saxutils to escape/unescape values for/from
+        PROPFIND/PROPPATCH.
+      - Make OFS.PropertySheet use the escaping function from
+        webdav.xmltools.
+      - Escape/unescape &quot; and &apos;
  Zope 2.8a1
@@ -77,14 +90,14 @@ Zope Changes
     - The DateTime parser now throws a SyntaxError upon any parsing errors.
     - ZCatalog: added a new configuration option in the "Advanced" tab
-       to provide optional logging of the progress of long running 
+       to provide optional logging of the progress of long running
       reindexing or recataloging operations.
     - made Zope.configure return the starter instance to enable other
       methods to be called, such as starter.setupConfiguredLoggers()
     - Improved Unicode handling in Page Templates. Template contents
-       and title will now be saved as a Unicode string if 
+       and title will now be saved as a Unicode string if
       the management_page_charset variable can be acquired and is true.
       The character set of an uploaded file can now be specified.
@@ -191,11 +204,11 @@ Zope Changes
       (for pre-Zope 2.5 instances) has been removed. If you want to migrate
       from such an old version to Zope 2.8, you need to clear and reindex
       your ZCatalog).
-     - Collector #1457: ZCTextIndex's QueryError and ParseError 
+     - Collector #1457: ZCTextIndex's QueryError and ParseError
       are now available for import from untrusted code.
-     - Collector #1473: zpasswd.py can now accept --username 
+     - Collector #1473: zpasswd.py can now accept --username
       without --password
     - Collector #1491: talgettext.py did not create a proper header
@@ -213,15 +226,15 @@ Zope Changes
     - Removed DWIM'y attempt to filter acquired-but-not-aceessible
       results from 'guarded_getattr'.
-     - Collector #1267: applied patch to fix segmentation faults on 
+     - Collector #1267: applied patch to fix segmentation faults on
       x86_64 systems
-     - ZReST: the charset used in the rendered HTML was not set to the 
+     - ZReST: the charset used in the rendered HTML was not set to the
       corresponding output_encoding property of the ZReST instance. In addition
-       changing the encodings through the Properties tab did not re-render 
+       changing the encodings through the Properties tab did not re-render
       the HTML.
-     - Collector #1234: an exception triple passed to LOG() was not 
+     - Collector #1234: an exception triple passed to LOG() was not
       propagated properly to the logging module of Python
     - Collector #1441: Removed headers introduced to make Microsoft
@@ -246,8 +259,8 @@ Zope Changes
     - added "version.txt" to setup.py to avoid untrue "unreleased version"
       messages within the control panel
-     - Collector #1436: applied patch to fix a memory leak in 
+     - Collector #1436: applied patch to fix a memory leak in
-       cAccessControl. 
+       cAccessControl.
     - Collector #1431: fixed NetBSD support in initgroups.c
@@ -261,17 +274,17 @@ Zope Changes
     - Zope can now be embedded in C/C++ without exceptions being raised
       in zdoptions.
-     - Collector #1213: Fixed wrong labels of cache parameters 
+     - Collector #1213: Fixed wrong labels of cache parameters
     - Collector #1265: Fixed handling of orphans in ZTUtil.Batch
     - Collector #1293: missing 'address' parameters within one of the server
-       sections raise an exception. 
+       sections raise an exception.
     - Collector #1345: AcceleratedHTTPCacheManager now sends the
       Last-Modified header.
-     - Collector #1126: ZPublisher.Converters.field2lines now using 
+     - Collector #1126: ZPublisher.Converters.field2lines now using
       splitlines() instead of split('\n').
     - Collector #1322: fixed HTML quoting problem with ZSQL methods
@@ -283,14 +296,14 @@ Zope Changes
     - Collector #1259: removed the "uninstall" target from the Makefile
       since the uninstall routine could also remove non-Zope files. Because
-       this was to dangerous it has been removed completely. 
+       this was to dangerous it has been removed completely.
     - Collector #1299: Fixed bug in sequence.sort()
     - Collector #1159: Added test for __MACH__ to initgroups.c so the
       initgroups method becomes available on Mac OS X.
-     - Collector #1004: text,token properties were missing in 
+     - Collector #1004: text,token properties were missing in
       PropertyManager management page.
     - Display index name on error message when index can't be used as

--- a/lib/python/OFS/Image.py
+++ b/lib/python/OFS/Image.py
@@ -76,6 +76,7 @@ class File(Persistent, Implicit, PropertyManager,
    precondition=''
    size=None
+    alt=''
    manage_editForm  =DTMLFile('dtml/fileEdit',globals(),
                               Kind='File',kind='file')

--- a/lib/python/OFS/PropertySheets.py
+++ b/lib/python/OFS/PropertySheets.py
@@ -807,15 +807,12 @@ def absattr(attr):
        return attr()
    return attr
+def xml_escape(value):
-def xml_escape(v):
+    from webdav.xmltools import escape
-    """ convert any content from ISO-8859-1 to UTF-8
+    if not isinstance(value, basestring):
-    The main use is to escape non-US object property values
+        value = unicode(value)
-    (e.g. containing accented characters). Also we convert "<" and ">"
+    if not isinstance(value, unicode):
-    to entities to keep the properties XML compliant.
+        # XXX It really shouldn't be hardcoded to latin-1 here.
-    """
+        value = value.decode('latin-1')
-    v = str(v)
+    value = escape(value)
-    v = v.replace('&', '&amp;')
+    return value.encode('utf-8')
-    v = v.replace('<', '&lt;')
-    v = v.replace('>', '&gt;')
-    return  unicode(v,"latin-1").encode("utf-8")
--- a/lib/python/webdav/xmltools.py
+++ b/lib/python/webdav/xmltools.py
@@ -10,13 +10,10 @@
 # FOR A PARTICULAR PURPOSE
 #
 ##############################################################################
+"""
-""" 
 WebDAV XML request parsing tool using xml.minidom as xml parser.
 Code contributed by Simon Eisenmann, struktur AG, Stuttgart, Germany
 """
 __version__='$Revision: 1.15.2.1 $'[11:-2]
 """
@@ -26,55 +23,88 @@ TODO:
   and find out if some code uses/requires these methods.
   => If yes implement them, else forget them.
   NOTE: So far i didn't have any problems.
         If you have problems please report them.
 """
 from xml.dom import minidom
+from xml.sax.saxutils import escape as _escape, unescape as _unescape
+escape_entities = {'"': '&quot;',
+                   "'": '&apos;',
+                   }
+unescape_entities = {'&quot;': '"',
+                     '&apos;': "'",
+                     }
+def escape(value, entities=None):
+    _ent = escape_entities
+    if entities is not None:
+        _ent = _ent.copy()
+        _ent.update(entities)
+    return _escape(value, entities)
+def unescape(value, entities=None):
+    _ent = unescape_entities
+    if entities is not None:
+        _ent = _ent.copy()
+        _ent.update(entities)
+    return _unescape(value, entities)
+# XXX latin-1 is hardcoded on OFS.PropertySheets as the expected
+# encoding properties will be stored in. Optimally, we should use the
+# same encoding as the 'default_encoding' property that is used for
+# the ZMI.
+zope_encoding = 'latin-1'
 class Node:
-    """ our nodes no matter what type """
+    """ Our nodes no matter what type
+    """
    node = None
    def __init__(self, node):
        self.node=node
    def elements(self, name=None, ns=None):
-        nodes=[ Node(n) for n in self.node.childNodes if n.nodeType == n.ELEMENT_NODE and \
+        nodes = []
-                                                   ((name is None) or ((n.localName.lower())==name)) and \
+        for n in self.node.childNodes:
-                                                   ((ns is None) or (n.namespaceURI==ns)) ]
+            if (n.nodeType == n.ELEMENT_NODE and
+                ((name is None) or ((n.localName.lower())==name)) and
+                ((ns is None) or (n.namespaceURI==ns))):
+                nodes.append(Element(n))
        return nodes
    def qname(self):
-        return '%s%s' % (self.namespace(), self.name()) 
+        return '%s%s' % (self.namespace(), self.name())
    def addNode(self, node):
        # XXX: no support for adding nodes here
        raise NotImplementedError, 'addNode not implemented'
    def toxml(self):
        return self.node.toxml()
    def strval(self):
-        return self.toxml()
+        return self.toxml().encode(zope_encoding)
    def name(self):  return self.node.localName
    def attrs(self): return self.node.attributes
    def value(self): return self.node.nodeValue
    def nodes(self): return self.node.childNodes
    def nskey(self): return self.node.namespaceURI
    def namespace(self): return self.nskey()
    def del_attr(self, name):
-        # XXX: no support for removing attributes 
+        # XXX: no support for removing attributes
 	#      zope can calls this after remapping to remove namespace
 	#      haven't seen this happening though
        return None
    def remap(self, dict, n=0, top=1):
        # XXX: this method is used to do some strange remapping of elements
        #      and namespaces .. not sure how to do this with minidom
@@ -87,18 +117,31 @@ class Node:
            return "<Node %s (from %s)>" % (self.name(), self.namespace())
        else: return "<Node %s>" % self.name()
+class Element(Node):
+    def toxml(self):
+        # When dealing with Elements, we only want the Element's content.
+        result = u''
+        for n in self.node.childNodes:
+            value = n.toxml()
+            # Use unescape possibly escaped values.  We do this
+            # because the value is *always* escaped in it's XML
+            # representation, and if we store it escaped it will come
+            # out *double escaped* when doing a PROPFIND.
+            value = unescape(value, entities=unescape_entities)
+            result += value
+        return result
 class XmlParser:
-    """ simple wrapper around minidom to support the required 
+    """ Simple wrapper around minidom to support the required
-        interfaces for zope.webdav
+    interfaces for zope.webdav
    """
    dom = None
    def __init__(self):
        pass
    def parse(self, data):
-        self.dom=minidom.parseString(data)
+        self.dom = minidom.parseString(data)
        return Node(self.dom)