Use cgi.escape instead of simply replacing tags, also escaping & was missing.

This commit is contained in:
Mattias Põldaru 2011-12-30 15:00:08 +02:00
parent b48dda3c74
commit 185cc5487a

View File

@ -28,6 +28,7 @@
The :mod:`maindisplay` module provides the functionality to display screens The :mod:`maindisplay` module provides the functionality to display screens
and play multimedia within OpenLP. and play multimedia within OpenLP.
""" """
import cgi
import logging import logging
import os import os
import sys import sys
@ -239,15 +240,13 @@ class MainDisplay(Display):
if self.height() != self.screen[u'size'].height() or \ if self.height() != self.screen[u'size'].height() or \
not self.isVisible(): not self.isVisible():
shrink = True shrink = True
js = u'show_alert("%s", "%s")' % ( js = u'show_alert("%s", "%s")' % (cgi.escape(
text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')),
.replace(u'<', u'&lt;').replace(u'>', u'&gt;'),
u'top') u'top')
else: else:
shrink = False shrink = False
js = u'show_alert("%s", "")' % ( js = u'show_alert("%s", "")' % (cgi.escape(
text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')))
.replace(u'<', u'&lt;').replace(u'>', u'&gt;'))
height = self.frame.evaluateJavaScript(js) height = self.frame.evaluateJavaScript(js)
if shrink: if shrink:
if text: if text: