diff MoinMoin/macro/EmbedObject.py @ 5098:ff588e9e24d6

simplify getAttachUrl: remove upload parameter upload=x didn't influence drawing url generation at all, for file url generation one can just give do='upload_form' if one wants the upload url. URL args for do='upload_form' were streamlined to use target=x instead of rename=x so it is more similar to the other code. Removed test for "tainted" file names in URLs. We must not "taint" file names for URLs. Filenames in URLs need to be url-quoted. If a URL is used in html, it needs to be escaped.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 13 Sep 2009 00:06:04 +0200
parents c538e2b0bba9
children 12d27670e274
line wrap: on
line diff
--- a/MoinMoin/macro/EmbedObject.py	Sat Sep 12 21:42:55 2009 +0200
+++ b/MoinMoin/macro/EmbedObject.py	Sun Sep 13 00:06:04 2009 +0200
@@ -84,7 +84,7 @@
 
         if not AttachFile.exists(request, pagename, fname):
             linktext = _('Upload new attachment "%(filename)s"') % {'filename': fname}
-            target = AttachFile.getAttachUrl(pagename, fname, request, upload=True)
+            target = AttachFile.getAttachUrl(pagename, fname, request, do='upload_form')
             return (fmt.url(1, target) +
                     fmt.text(linktext) +
                     fmt.url(0))