Zope 3

Missing quoting of <>& in autogenerated forms

Bug #97976 reported by Michael Howitz
2
Affects Status Importance Assigned to Milestone
Zope 3
Fix Released
High
Unassigned

Bug Description

In autogenerated forms <, >, & are not quoted in menus (<select>) when the source for the menu is a vocabulary. So the page isn't valid XML any more.

I put together a little example. To reproduce follow these steps:
- include the demoVendo-package in your zope (using include package in site.zcml)
- create an customer
- inside this customer create an address containing <, >, & in the name
- go to the edit-tag of the customer
- Look at the source of the html-page to see the raw characters
  (Caution: Mozilla shows the characters perfectly quoted (because it shows its dom) but if you fetch the file e.g. using wget it shows up the raw characters.)

See original description
Revision history for this message
Michael Howitz (mh+zope) wrote :
Revision history for this message
Jim Fulton (jim-zope) wrote :

Changes: submitter email, importance (medium => urgent)

Revision history for this message
Jim Fulton (jim-zope) wrote :

Changes: classification (issue => bug)

Revision history for this message
Stephan Richter (srichter) wrote :

Status: Pending => Resolved

You were right, the displayed values of a vocabulary were not encoded, but the value of the option tag was. 'renderElement()' did the right thing for the 'value' attribute of the 'option' tag. For the contents of the 'option' tag however, it does not excape, which is the correct behavior. I went through the 'itemswidgets.py' file and escaped all 'option' tag content.

I added a test to verify its correct workings.

See revision 26193.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.