PropertySheets xml_escape method with hardcoded encoding

Bug #143211 reported by Simon Eisenmann
2
Affects Status Importance Assigned to Milestone
Zope 2
Invalid
Medium
Sidnei da Silva

Bug Description

While testing webdav i found the PropertySheet's xml_escape method which is called on dav's PROPGET to retrieve the properties (see OFS/PropertySheet.py right at the end) . This method has no notion at all regarding encoding. It has hardcoded unicode(v,"latin-1").encode("utf-8") and does a str() conversion without even checking if the property might be unicode already.

I wonder how zope does in general handle unicode properties / properties with strings containing unicode? Both things wont work properly with this xml_escape method.

I suggest checking if "v" is already unicode type and then just quote entities. Then in addition with the new webdav.xmltools package the properties are fully unicode type. If "v" should be not unicode type its encoding has to be guessed from the ZMI encoding setting.

Revision history for this message
Simon Eisenmann (longsleep) wrote :

well .. i did some further investigation and the webdav module would need further changes to really support unicode type strings.

Adding a .encode('UTF-8') to the string returned by PropertySheets.dav__allprop (when its unicode type) supports both unicode and non unicode type properties.

Revision history for this message
Sidnei da Silva (sidnei) wrote :

Can you review my fixes to xml_encode? I haven't noticed this issue before, but I think it does fix the problem.

Revision history for this message
Andreas Jung (ajung) wrote :

Status: Pending => Accepted

 Supporters added: dreamcatcher

@DC: Didn't you fix this issue lately?

Revision history for this message
Sidnei da Silva (sidnei) wrote :

Yes. Though it's still hardcoded to latin-1, it now checks if the object is unicode before trying to do anything with it.

Revision history for this message
Colin Watson (cjwatson) wrote :

The zope2 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it at https://github.com/zopefoundation/zope2.

Changed in zope2:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.