comparison MoinMoin/formatter/text_html.py @ 5098:ff588e9e24d6

simplify getAttachUrl: remove upload parameter upload=x didn't influence drawing url generation at all, for file url generation one can just give do='upload_form' if one wants the upload url. URL args for do='upload_form' were streamlined to use target=x instead of rename=x so it is more similar to the other code. Removed test for "tainted" file names in URLs. We must not "taint" file names for URLs. Filenames in URLs need to be url-quoted. If a URL is used in html, it needs to be escaped.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 13 Sep 2009 00:06:04 +0200
parents 4d90b17cb7b1
children 9ae242080889
comparison
equal deleted inserted replaced
5096:c8ea1985d348 5098:ff588e9e24d6
621 if AttachFile.exists(self.request, pagename, fname): 621 if AttachFile.exists(self.request, pagename, fname):
622 target = AttachFile.getAttachUrl(pagename, fname, self.request, do=querystr['do']) 622 target = AttachFile.getAttachUrl(pagename, fname, self.request, do=querystr['do'])
623 title = "attachment:%s" % url 623 title = "attachment:%s" % url
624 css = 'attachment' 624 css = 'attachment'
625 else: 625 else:
626 target = AttachFile.getAttachUrl(pagename, fname, self.request, upload=True) 626 target = AttachFile.getAttachUrl(pagename, fname, self.request, do='upload_form')
627 title = _('Upload new attachment "%(filename)s"') % {'filename': fname} 627 title = _('Upload new attachment "%(filename)s"') % {'filename': fname}
628 css = 'attachment nonexistent' 628 css = 'attachment nonexistent'
629 return self.url(on, target, css=css, title=title) 629 return self.url(on, target, css=css, title=title)
630 else: 630 else:
631 return self.url(on) 631 return self.url(on)
635 pagename, filename = AttachFile.absoluteName(url, self.page.page_name) 635 pagename, filename = AttachFile.absoluteName(url, self.page.page_name)
636 fname = wikiutil.taintfilename(filename) 636 fname = wikiutil.taintfilename(filename)
637 exists = AttachFile.exists(self.request, pagename, fname) 637 exists = AttachFile.exists(self.request, pagename, fname)
638 if exists: 638 if exists:
639 kw['css'] = 'attachment' 639 kw['css'] = 'attachment'
640 kw['src'] = AttachFile.getAttachUrl(pagename, filename, self.request, addts=1) 640 kw['src'] = AttachFile.getAttachUrl(pagename, fname, self.request, addts=1)
641 title = _('Inlined image: %(url)s') % {'url': self.text(url)} 641 title = _('Inlined image: %(url)s') % {'url': self.text(url)}
642 if not 'title' in kw: 642 if not 'title' in kw:
643 kw['title'] = title 643 kw['title'] = title
644 # alt is required for images: 644 # alt is required for images:
645 if not 'alt' in kw: 645 if not 'alt' in kw:
647 return self.image(**kw) 647 return self.image(**kw)
648 else: 648 else:
649 title = _('Upload new attachment "%(filename)s"') % {'filename': fname} 649 title = _('Upload new attachment "%(filename)s"') % {'filename': fname}
650 img = self.icon('attachimg') 650 img = self.icon('attachimg')
651 css = 'nonexistent' 651 css = 'nonexistent'
652 target = AttachFile.getAttachUrl(pagename, fname, self.request, upload=True) 652 target = AttachFile.getAttachUrl(pagename, fname, self.request, do='upload_form')
653 return self.url(1, target, css=css, title=title) + img + self.url(0) 653 return self.url(1, target, css=css, title=title) + img + self.url(0)
654 654
655 def attachment_drawing(self, url, text, **kw): 655 def attachment_drawing(self, url, text, **kw):
656 # ToDo try to move this to a better place e.g. __init__ 656 # ToDo try to move this to a better place e.g. __init__
657 try: 657 try: