openlp
/
openlp
mirror of https://gitlab.com/openlp/openlp.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity

Use cgi.escape instead of simply replacing tags, also escaping & was missing.

This commit is contained in:
Mattias Põldaru 2011-12-30 15:00:08 +02:00
parent b48dda3c74
commit 185cc5487a
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
openlp/core/ui/maindisplay.py
View File

@ -28,6 +28,7 @@
The :mod:`maindisplay` module provides the functionality to display screens The :mod:`maindisplay` module provides the functionality to display screens
and play multimedia within OpenLP. and play multimedia within OpenLP.
""" """
import cgi
import logging import logging
import os import os
import sys import sys
@ -239,15 +240,13 @@ class MainDisplay(Display):
if self.height() != self.screen[u'size'].height() or \ if self.height() != self.screen[u'size'].height() or \
not self.isVisible(): not self.isVisible():
shrink = True shrink = True
js = u'show_alert("%s", "%s")' % ( js = u'show_alert("%s", "%s")' % (cgi.escape(
text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')),
.replace(u'<', u'&lt;').replace(u'>', u'&gt;'),
u'top') u'top')
else: else:
shrink = False shrink = False
js = u'show_alert("%s", "")' % ( js = u'show_alert("%s", "")' % (cgi.escape(
text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')))
.replace(u'<', u'&lt;').replace(u'>', u'&gt;'))
height = self.frame.evaluateJavaScript(js) height = self.frame.evaluateJavaScript(js)
if shrink: if shrink:
if text: if text: