1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/changeset/5946d6694829/ changeset: 5946d6694829 user: dan date: 2012-04-05 23:04:20 summary: Add some missing cgi.escape calls around values in form_builder.py. affected #: 1 file diff -r 016baa06f6140b5fe9b0849b54181b8a8b9dd6a9 -r 5946d6694829ba6377c33ec2cfab91bbaff5671a lib/galaxy/web/form_builder.py --- a/lib/galaxy/web/form_builder.py +++ b/lib/galaxy/web/form_builder.py @@ -144,7 +144,7 @@ def get_html( self, prefix="" ): value_text = "" if self.value: - value_text = ' value="%s"' % self.value + value_text = ' value="%s"' % escape( str( self.value ), quote=True ) ajax_text = "" if self.ajax: ajax_text = ' galaxy-ajax-upload="true"' @@ -279,7 +279,7 @@ if self.refresh_on_change: self.refresh_on_change_text = ' refresh_on_change="true"' if self.refresh_on_change_values: - self.refresh_on_change_text = '%s refresh_on_change_values="%s"' % ( self.refresh_on_change_text, ",".join( self.refresh_on_change_values ) ) + self.refresh_on_change_text = '%s refresh_on_change_values="%s"' % ( self.refresh_on_change_text, escape( ",".join( self.refresh_on_change_values ), quote=True ) ) else: self.refresh_on_change_text = '' def add_option( self, text, value, selected = False ): @@ -306,7 +306,7 @@ if selected: selected_text = " checked='checked'" rval.append( '<div%s><input type="checkbox" name="%s%s" value="%s" id="%s"%s%s><label class="inline" for="%s">%s</label></div>' % \ - ( style, prefix, self.name, escaped_value, uniq_id, selected_text, self.get_disabled_str( disabled ), uniq_id, text ) ) + ( style, prefix, self.name, escaped_value, uniq_id, selected_text, self.get_disabled_str( disabled ), uniq_id, escape( str( text ), quote=True ) ) ) ctr += 1 return "\n".join( rval ) def get_html_radio( self, prefix="", disabled=False ): @@ -351,7 +351,7 @@ last_selected_value = value else: selected_text = "" - rval.append( '<option value="%s"%s>%s</option>' % ( escape( str( value ), quote=True ), selected_text, text ) ) + rval.append( '<option value="%s"%s>%s</option>' % ( escape( str( value ), quote=True ), selected_text, escape( str( text ), quote=True ) ) ) if last_selected_value: last_selected_value = ' last_selected_value="%s"' % escape( str( last_selected_value ), quote=True ) rval.insert( 0, '<select name="%s%s"%s%s%s%s%s>' % \ Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.