comparison MoinMoin/macro/EmbedObject.py @ 5098:ff588e9e24d6

simplify getAttachUrl: remove upload parameter upload=x didn't influence drawing url generation at all, for file url generation one can just give do='upload_form' if one wants the upload url. URL args for do='upload_form' were streamlined to use target=x instead of rename=x so it is more similar to the other code. Removed test for "tainted" file names in URLs. We must not "taint" file names for URLs. Filenames in URLs need to be url-quoted. If a URL is used in html, it needs to be escaped.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 13 Sep 2009 00:06:04 +0200
parents c538e2b0bba9
children 12d27670e274
comparison
equal deleted inserted replaced
5096:c8ea1985d348 5098:ff588e9e24d6
82 if not wikiutil.is_URL(target): 82 if not wikiutil.is_URL(target):
83 pagename, fname = AttachFile.absoluteName(target, pagename) 83 pagename, fname = AttachFile.absoluteName(target, pagename)
84 84
85 if not AttachFile.exists(request, pagename, fname): 85 if not AttachFile.exists(request, pagename, fname):
86 linktext = _('Upload new attachment "%(filename)s"') % {'filename': fname} 86 linktext = _('Upload new attachment "%(filename)s"') % {'filename': fname}
87 target = AttachFile.getAttachUrl(pagename, fname, request, upload=True) 87 target = AttachFile.getAttachUrl(pagename, fname, request, do='upload_form')
88 return (fmt.url(1, target) + 88 return (fmt.url(1, target) +
89 fmt.text(linktext) + 89 fmt.text(linktext) +
90 fmt.url(0)) 90 fmt.url(0))
91 91
92 url = AttachFile.getAttachUrl(pagename, fname, request) 92 url = AttachFile.getAttachUrl(pagename, fname, request)