Cutlery/calibre
1
0
Fork 0
mirror of https://github.com/kovidgoyal/calibre.git synced 2025-07-09 03:04:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

Book details panel: Fix HTML in author names and identifiers not being escaped

Browse Source 
Fixes #1243976 [Private bug](https://bugs.launchpad.net/calibre/+bug/1243976)
This commit is contained in:
Kovid Goyal 2013-10-24 08:45:34 +05:30
parent 8e27841421
commit 79ab8184f4
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/calibre/gui2/book_details.py
View File

@ -110,6 +110,8 @@ def render_data(mi, use_roman_numbers=True, all_fields=False):
isdevice = not hasattr(mi, 'id') isdevice = not hasattr(mi, 'id')
fm = getattr(mi, 'field_metadata', field_metadata) fm = getattr(mi, 'field_metadata', field_metadata)
row = u'<td class="title">%s</td><td class="value">%s</td>' row = u'<td class="title">%s</td><td class="value">%s</td>'
p = prepare_string_for_xml
a = partial(prepare_string_for_xml, attribute=True)
for field, display in get_field_list(fm): for field, display in get_field_list(fm):
metadata = fm.get(field, None) metadata = fm.get(field, None)
@ -167,20 +169,19 @@ def render_data(mi, use_roman_numbers=True, all_fields=False):
elif field == 'formats': elif field == 'formats':
if isdevice: if isdevice:
continue continue
p = partial(prepare_string_for_xml, attribute=True)
path = '' path = ''
if mi.path: if mi.path:
h, t = os.path.split(mi.path) h, t = os.path.split(mi.path)
path = '/'.join((os.path.basename(h), t)) path = '/'.join((os.path.basename(h), t))
data = ({ data = ({
'fmt':x, 'path':p(path or ''), 'fname':p(mi.format_files.get(x, '')), 'fmt':x, 'path':a(path or ''), 'fname':a(mi.format_files.get(x, '')),
'ext':x.lower(), 'id':mi.id 'ext':x.lower(), 'id':mi.id
} for x in mi.formats) } for x in mi.formats)
fmts = [u'<a title="{path}/{fname}.{ext}" href="format:{id}:{fmt}">{fmt}</a>'.format(**x) for x in data] fmts = [u'<a title="{path}/{fname}.{ext}" href="format:{id}:{fmt}">{fmt}</a>'.format(**x) for x in data]
ans.append((field, row % (name, u', '.join(fmts)))) ans.append((field, row % (name, u', '.join(fmts))))
elif field == 'identifiers': elif field == 'identifiers':
urls = urls_from_identifiers(mi.identifiers) urls = urls_from_identifiers(mi.identifiers)
links = [u'<a href="%s" title="%s:%s">%s</a>' % (url, id_typ, id_val, name) links = [u'<a href="%s" title="%s:%s">%s</a>' % (a(url), a(id_typ), a(id_val), p(name))
for name, id_typ, id_val, url in urls] for name, id_typ, id_val, url in urls]
links = u', '.join(links) links = u', '.join(links)
if links: if links:
@ -200,9 +201,9 @@ def render_data(mi, use_roman_numbers=True, all_fields=False):
vals['author_sort'] = aut.replace(' ', '+') vals['author_sort'] = aut.replace(' ', '+')
link = formatter.safe_format( link = formatter.safe_format(
gprefs.get('default_author_link'), vals, '', vals) gprefs.get('default_author_link'), vals, '', vals)
aut = p(aut)
if link: if link:
link = prepare_string_for_xml(link) authors.append(u'<a calibre-data="authors" href="%s">%s</a>'%(a(link), aut))
authors.append(u'<a calibre-data="authors" href="%s">%s</a>'%(link, aut))
else: else:
authors.append(aut) authors.append(aut)
ans.append((field, row % (name, u' & '.join(authors)))) ans.append((field, row % (name, u' & '.join(authors))))
@ -215,14 +216,14 @@ def render_data(mi, use_roman_numbers=True, all_fields=False):
val = mi.format_field(field)[-1] val = mi.format_field(field)[-1]
if val is None: if val is None:
continue continue
val = prepare_string_for_xml(val) val = p(val)
if metadata['datatype'] == 'series': if metadata['datatype'] == 'series':
sidx = mi.get(field+'_index') sidx = mi.get(field+'_index')
if sidx is None: if sidx is None:
sidx = 1.0 sidx = 1.0
val = _('Book %(sidx)s of <span class="series_name">%(series)s</span>')%dict( val = _('Book %(sidx)s of <span class="series_name">%(series)s</span>')%dict(
sidx=fmt_sidx(sidx, use_roman=use_roman_numbers), sidx=fmt_sidx(sidx, use_roman=use_roman_numbers),
series=prepare_string_for_xml(getattr(mi, field))) series=p(getattr(mi, field)))
elif metadata['datatype'] == 'datetime': elif metadata['datatype'] == 'datetime':
aval = getattr(mi, field) aval = getattr(mi, field)
if is_date_undefined(aval): if is_date_undefined(aval):