Changeset 13492 for main

Timestamp:

24 Nov 2015, 11:50:10 (9 years ago)

Author:

Henrik Bettermann

Message:

Disable rendering of HTML tags in fullnames.

Location:

main/waeup.kofa/trunk/src/waeup/kofa

Files:

• students/tests/test_browser.py (modified) (1 diff)
• utils/utils.py (modified) (1 diff)

main/waeup.kofa/trunk/src/waeup/kofa/students/tests/test_browser.py

@@ -2262 +2262 @@
         return
 
+    def test_forbidden_name(self):
+        self.student.lastname = u'<TAG>Tester</TAG>'
+        self.browser.open(self.login_path)
+        self.browser.getControl(name="form.login").value = self.student_id
+        self.browser.getControl(name="form.password").value = 'spwd'
+        self.browser.getControl("Login").click()
+        self.assertTrue('XXX: Base Data' in self.browser.contents)
+        self.assertTrue('&lt;TAG&gt;Tester&lt;/TAG&gt;' in self.browser.contents)
+        self.assertFalse('<TAG>Tester</TAG>' in self.browser.contents)
+        return
+
     def test_setpassword(self):
         # Set password for first-time access

main/waeup.kofa/trunk/src/waeup/kofa/utils/utils.py

@@ -262 +262 @@
         else:
             name = '%s %s' % (firstname, lastname)
+        if '<' in name:
+            return 'XXX'
         return string.capwords(
             name.replace('-', ' - ')).replace(' - ', '-')