From b48dda3c741477a281f692f857459226211bcfb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mattias=20P=C3=B5ldaru?= Date: Fri, 23 Dec 2011 21:14:49 +0200 Subject: [PATCH 1/3] Converts <> marks to <> to make it impossible to insert HTML to alerts. Fixes: https://launchpad.net/bugs/908197 --- openlp/core/ui/maindisplay.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/openlp/core/ui/maindisplay.py b/openlp/core/ui/maindisplay.py index de8fce454..021ca4cf6 100644 --- a/openlp/core/ui/maindisplay.py +++ b/openlp/core/ui/maindisplay.py @@ -240,12 +240,14 @@ class MainDisplay(Display): not self.isVisible(): shrink = True js = u'show_alert("%s", "%s")' % ( - text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"'), + text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') + .replace(u'<', u'<').replace(u'>', u'>'), u'top') else: shrink = False js = u'show_alert("%s", "")' % ( - text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')) + text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') + .replace(u'<', u'<').replace(u'>', u'>')) height = self.frame.evaluateJavaScript(js) if shrink: if text: From 185cc5487a0622c0331ca67c46ee01268f39bff8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mattias=20P=C3=B5ldaru?= Date: Fri, 30 Dec 2011 15:00:08 +0200 Subject: [PATCH 2/3] Use cgi.escape instead of simply replacing tags, also escaping & was missing. --- openlp/core/ui/maindisplay.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/openlp/core/ui/maindisplay.py b/openlp/core/ui/maindisplay.py index 021ca4cf6..56237c528 100644 --- a/openlp/core/ui/maindisplay.py +++ b/openlp/core/ui/maindisplay.py @@ -28,6 +28,7 @@ The :mod:`maindisplay` module provides the functionality to display screens and play multimedia within OpenLP. """ +import cgi import logging import os import sys @@ -239,15 +240,13 @@ class MainDisplay(Display): if self.height() != self.screen[u'size'].height() or \ not self.isVisible(): shrink = True - js = u'show_alert("%s", "%s")' % ( - text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') - .replace(u'<', u'<').replace(u'>', u'>'), + js = u'show_alert("%s", "%s")' % (cgi.escape( + text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')), u'top') else: shrink = False - js = u'show_alert("%s", "")' % ( - text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') - .replace(u'<', u'<').replace(u'>', u'>')) + js = u'show_alert("%s", "")' % (cgi.escape( + text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"'))) height = self.frame.evaluateJavaScript(js) if shrink: if text: From 85a92455d1214a6d9e904c5995d1c19505d373a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mattias=20P=C3=B5ldaru?= Date: Tue, 3 Jan 2012 01:43:59 +0200 Subject: [PATCH 3/3] Apply formatting tags to alerts. --- openlp/core/ui/maindisplay.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/openlp/core/ui/maindisplay.py b/openlp/core/ui/maindisplay.py index 56237c528..264c7f1f5 100644 --- a/openlp/core/ui/maindisplay.py +++ b/openlp/core/ui/maindisplay.py @@ -37,7 +37,7 @@ from PyQt4 import QtCore, QtGui, QtWebKit, QtOpenGL from PyQt4.phonon import Phonon from openlp.core.lib import Receiver, build_html, ServiceItem, image_to_byte, \ - translate, PluginManager + translate, PluginManager, expand_tags from openlp.core.ui import HideMode, ScreenList, AlertLocation @@ -237,16 +237,17 @@ class MainDisplay(Display): The text to be displayed. """ log.debug(u'alert to display') + # First we convert <>& marks to html variants, then apply + # formattingtags, finally we double all backslashes for JavaScript. + text_prepared = expand_tags(cgi.escape(text)) \ + .replace(u'\\', u'\\\\').replace(u'\"', u'\\\"') if self.height() != self.screen[u'size'].height() or \ not self.isVisible(): shrink = True - js = u'show_alert("%s", "%s")' % (cgi.escape( - text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"')), - u'top') + js = u'show_alert("%s", "%s")' % (text_prepared, u'top') else: shrink = False - js = u'show_alert("%s", "")' % (cgi.escape( - text.replace(u'\\', u'\\\\').replace(u'\"', u'\\\"'))) + js = u'show_alert("%s", "")' % text_prepared height = self.frame.evaluateJavaScript(js) if shrink: if text: