diff MoinMoin/formatter/text_html.py @ 5098:ff588e9e24d6

simplify getAttachUrl: remove upload parameter upload=x didn't influence drawing url generation at all, for file url generation one can just give do='upload_form' if one wants the upload url. URL args for do='upload_form' were streamlined to use target=x instead of rename=x so it is more similar to the other code. Removed test for "tainted" file names in URLs. We must not "taint" file names for URLs. Filenames in URLs need to be url-quoted. If a URL is used in html, it needs to be escaped.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 13 Sep 2009 00:06:04 +0200
parents 4d90b17cb7b1
children 9ae242080889
line wrap: on
line diff
--- a/MoinMoin/formatter/text_html.py	Sat Sep 12 21:42:55 2009 +0200
+++ b/MoinMoin/formatter/text_html.py	Sun Sep 13 00:06:04 2009 +0200
@@ -623,7 +623,7 @@
                 title = "attachment:%s" % url
                 css = 'attachment'
             else:
-                target = AttachFile.getAttachUrl(pagename, fname, self.request, upload=True)
+                target = AttachFile.getAttachUrl(pagename, fname, self.request, do='upload_form')
                 title = _('Upload new attachment "%(filename)s"') % {'filename': fname}
                 css = 'attachment nonexistent'
             return self.url(on, target, css=css, title=title)
@@ -637,7 +637,7 @@
         exists = AttachFile.exists(self.request, pagename, fname)
         if exists:
             kw['css'] = 'attachment'
-            kw['src'] = AttachFile.getAttachUrl(pagename, filename, self.request, addts=1)
+            kw['src'] = AttachFile.getAttachUrl(pagename, fname, self.request, addts=1)
             title = _('Inlined image: %(url)s') % {'url': self.text(url)}
             if not 'title' in kw:
                 kw['title'] = title
@@ -649,7 +649,7 @@
             title = _('Upload new attachment "%(filename)s"') % {'filename': fname}
             img = self.icon('attachimg')
             css = 'nonexistent'
-            target = AttachFile.getAttachUrl(pagename, fname, self.request, upload=True)
+            target = AttachFile.getAttachUrl(pagename, fname, self.request, do='upload_form')
             return self.url(1, target, css=css, title=title) + img + self.url(0)
 
     def attachment_drawing(self, url, text, **kw):