Changeset 13235

Timestamp:

28 Aug 2015, 07:49:07 (9 years ago)

Author:

Henrik Bettermann

Message:

Forbid style and script elements.

Location:

main/waeup.kofa/trunk/src/waeup/kofa

Files:

• applicants/browser_templates/applicantscontainermanagepage.pt (modified) (1 diff)
• applicants/interfaces.py (modified) (4 diffs)
• documents/interfaces.py (modified) (2 diffs)
• interfaces.py (modified) (2 diffs)

main/waeup.kofa/trunk/src/waeup/kofa/applicants/browser_templates/applicantscontainermanagepage.pt

@@ -90 +90 @@
     <tal:showNoApplicants condition="not: view/showApplicants">
       <p i18n:translate="note_acmp">
-          There are more than 5000 application records in this container.
+          There are more than 1000 application records in this container.
           In order to prevent from downloading big amounts of data, the
           Applicants tab has been disabled. Please use the

main/waeup.kofa/trunk/src/waeup/kofa/applicants/interfaces.py

@@ -29 +29 @@
 from waeup.kofa.schema import TextLineChoice, FormattedDate
 from waeup.kofa.interfaces import (
-    IKofaObject, validate_email,
+    IKofaObject, validate_email, validate_html,
     SimpleKofaVocabulary)
 from waeup.kofa.interfaces import MessageFactory as _
@@ -177 +177 @@
         title = _(u'Human readable description in HTML format'),
         required = False,
+        constraint=validate_html,
         default = u'''This text can been seen by anonymous users.
 Here we put multi-lingual general information about the application procedure.
@@ -243 +244 @@
         title = _(u'Human readable description in HTML format'),
         required = False,
+        constraint=validate_html,
         default = u'''This text can been seen by anonymous users.
 Here we put multi-lingual information about the study courses provided, the application procedure and deadlines.
@@ -277 +279 @@
         title = _(u'Human readable notice on application slip in HTML format'),
         required = False,
-        )
-
+        constraint=validate_html,
+        )
 
     hidden= schema.Bool(

main/waeup.kofa/trunk/src/waeup/kofa/documents/interfaces.py

@@ -19 +19 @@
 from zope import schema
 from waeup.kofa.interfaces import (
-    IKofaObject, validate_id,
+    IKofaObject, validate_id, validate_html,
     ContextualDictSourceFactoryBase)
 from waeup.kofa.interfaces import MessageFactory as _
@@ -82 +82 @@
         title = _(u'Multilingual content in HTML format'),
         required = False,
+        constraint=validate_html,
         )
 

main/waeup.kofa/trunk/src/waeup/kofa/interfaces.py

@@ -179 +179 @@
     return True
 
+# Define a validation method for HTML fields
+class NotHTMLValue(schema.ValidationError):
+    __doc__ = u"Style or script elements not allowed"
+
+def validate_html(value):
+    if '<style' in value or '<script' in value:
+        raise NotHTMLValue(value)
+    return True
+
 # Define a validation method for international phone numbers
 class InvalidPhoneNumber(schema.ValidationError):
@@ -650 +659 @@
         required = False,
         default = default_html_frontpage,
+        constraint=validate_html,
         )