view MoinMoin/parser/ @ 5910:7e7e1cbb9d3f

security: fix remote code execution vulnerability in twikidraw/anywikidraw actions We have wikiutil.taintfilename() to make user supplied filenames safe, so that they can't contain any "special" characters like path separators, etc. It is used at many places in moin, but wasn't used here. :|
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 29 Dec 2012 15:05:29 +0100
parents ff39884957af
line wrap: on
line source
# -*- coding: iso-8859-1 -*-
    MoinMoin - Plain Text Parser, fallback for text/*

    @copyright: 2000-2002 Juergen Hermann <>
    @license: GNU GPL, see COPYING for details.

Dependencies = []

class Parser:
        Send plain text in a HTML <pre> element.

    ## specify extensions willing to handle
    ## should be a list of extensions including the leading dot
    ## TODO: remove the leading dot from the extension. This is stupid.
    #extensions = ['.txt']
    ## use '*' instead of the list(!) to specify a default parser
    ## which is used as fallback
    extensions = '*'
    Dependencies = []

    def __init__(self, raw, request, **kw):
        self.raw = raw
        self.request = request
        self.form = request.form
        self._ = request.getText
        self.start_line = kw.get('start_line', 0)

    def format(self, formatter, **kw):
        """ Send the text. """

        self.lines = self.raw.expandtabs().split('\n')
        if self.lines[-1] == '':
            del self.lines[-1]

        self.lineno = self.start_line


        for lineno in range(1, self.start_line + 1):

        for line in self.lines:
            if self.lineno != self.start_line:

            self.lineno += 1