[Mpuls-commits] r472 - in wasko/trunk: . waskaweb/controllers waskaweb/model waskaweb/templates/statement
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Apr 3 15:18:26 CEST 2009
Author: teichmann
Date: 2009-04-03 15:18:25 +0200 (Fri, 03 Apr 2009)
New Revision: 472
Modified:
wasko/trunk/ChangeLog.txt
wasko/trunk/waskaweb/controllers/statement.py
wasko/trunk/waskaweb/model/statement.py
wasko/trunk/waskaweb/templates/statement/list_statements.mako
Log:
partial fix for issue106. Removed 'Unterstuetzungsangebote'
from statements list.
Modified: wasko/trunk/ChangeLog.txt
===================================================================
--- wasko/trunk/ChangeLog.txt 2009-04-03 12:53:03 UTC (rev 471)
+++ wasko/trunk/ChangeLog.txt 2009-04-03 13:18:25 UTC (rev 472)
@@ -1,5 +1,19 @@
2009-04-02 Sascha L. Teichmann <teichmann at intevation.de>
+ partial fix for issue106. Removed 'Unterstuetzungsangebote'
+ from statements list.
+
+ * waskaweb/templates/statement/list_statements.mako: Removed
+ 'Unterstuetzungsangebote' from statement list.
+
+ * waskaweb/controllers/statement.py: Removed corresponding
+ controller.
+
+ * waskaweb/model/statement.py: escape values before
+ filling the templates to prevent HTML injections.
+
+2009-04-02 Sascha L. Teichmann <teichmann at intevation.de>
+
* waskaweb/converter/wasko_v1v2.py: forget '.self' in two places.
2009-04-02 Sascha L. Teichmann <teichmann at intevation.de>
Modified: wasko/trunk/waskaweb/controllers/statement.py
===================================================================
--- wasko/trunk/waskaweb/controllers/statement.py 2009-04-03 12:53:03 UTC (rev 471)
+++ wasko/trunk/waskaweb/controllers/statement.py 2009-04-03 13:18:25 UTC (rev 472)
@@ -72,14 +72,6 @@
return render('statement/list_statements.mako')
@checkRole('cm_ka')
- def printAidPlanStatement(self, id):
- id = self._checkInt(id)
- case = self._loadCase(id)
- statement = case.getAidPlanStatement()
- c.content = statement.getContent()
- return render('statement/default_statement.mako')
-
- @checkRole('cm_ka')
def printPrivacyStatement(self, id):
id = self._checkInt(id)
case = self._loadCase(id)
Modified: wasko/trunk/waskaweb/model/statement.py
===================================================================
--- wasko/trunk/waskaweb/model/statement.py 2009-04-03 12:53:03 UTC (rev 471)
+++ wasko/trunk/waskaweb/model/statement.py 2009-04-03 13:18:25 UTC (rev 472)
@@ -32,6 +32,8 @@
from string import Template
import waskaweb.lib.filters as F
+from cgi import escape
+
GET_STATEMENT_FLAG_SQL = """SELECT einwilligung from ee_view WHERE id = %(id)s"""
SET_STATEMENT_FLAG_SQL = """SELECT set_ee_status(%(id)s, %(value)s)"""
class Statement:
@@ -76,9 +78,9 @@
def _substitute(self, client, agency):
# Substitution dictionary
s = {
- 'VORNAME': F.NA(client.first_name),
- 'NACHNAME': F.NA(client.last_name),
- 'KA_NAME': F.NA(agency.getName()),
+ 'VORNAME' : escape(F.NA(client.first_name)),
+ 'NACHNAME': escape(F.NA(client.last_name)),
+ 'KA_NAME' : escape(F.NA(agency.getName())),
}
result = self.template.safe_substitute(s)
return result
@@ -96,14 +98,14 @@
def _substitute(self, client, agency):
# Substitution dictionary
s = {
- 'VORNAME': F.NA(client.first_name),
- 'NACHNAME': F.NA(client.last_name),
- 'PLZ': F.NA(client.plz),
- 'STRASSE': F.NA(client.street),
- 'STRASSENR': F.NA(client.streetnr),
- 'ORT': F.NA(client.city),
- 'KA_NAME': F.NA(agency.getName()),
- 'KA_SPEICHERDAUER': F.NA(agency.getMaxSavetime())
+ 'VORNAME' : escape(F.NA(client.first_name)),
+ 'NACHNAME' : escape(F.NA(client.last_name)),
+ 'PLZ' : escape(F.NA(client.plz)),
+ 'STRASSE' : escape(F.NA(client.street)),
+ 'STRASSENR' : escape(F.NA(client.streetnr)),
+ 'ORT' : escape(F.NA(client.city)),
+ 'KA_NAME' : escape(F.NA(agency.getName())),
+ 'KA_SPEICHERDAUER': escape(F.NA(agency.getMaxSavetime()))
}
result = self.template.safe_substitute(s)
return result
@@ -179,13 +181,13 @@
else:
for rg in rg_list:
out.append(u"""<tr style="border:0">""")
- out.append(u"""<td style="border:0">%s</td>""" % F.NA(rg.start_date))
- out.append(u"""<td style="border:0">%s</td>""" % F.NA(rg.end_date))
- out.append(u"""<td style="border:0">%s</td>""" % F.NA(rg.institution))
- out.append(u"""<td style="border:0">%s</td>""" % F.NA(rg.type))
- out.append(u"""<td style="border:0">%s</td>""" % F.NA(rg.category))
+ out.append(u"""<td style="border:0">%s</td>""" % escape(F.NA(rg.start_date)))
+ out.append(u"""<td style="border:0">%s</td>""" % escape(F.NA(rg.end_date)))
+ out.append(u"""<td style="border:0">%s</td>""" % escape(F.NA(rg.institution)))
+ out.append(u"""<td style="border:0">%s</td>""" % escape(F.NA(rg.type)))
+ out.append(u"""<td style="border:0">%s</td>""" % escape(F.NA(rg.category)))
out.append(u"</tr>")
- out.append(u"""<tr><td colspan="5">Zielsetzung: %s</tr>""" % F.NA(rg.goal))
+ out.append(u"""<tr><td colspan="5">Zielsetzung: %s</tr>""" % escape(F.NA(rg.goal)))
out.append(u"</table>")
out.append(u"""<div class="legend">
Legende: <strong>(BB)</strong>: Allgemein bildenden Bereich <strong>(BV)</strong>: Bereich der Berufsvorbereitung <strong>(BQ)</strong>: Berufliche Qualifizierung <strong>(LB)</strong>: Lebensbewältigung</div>""")
@@ -194,8 +196,8 @@
def _substitute(self, client, agency, list):
# Substitution dictionary
s = {
- 'VORNAME': client.first_name,
- 'NACHNAME': client.last_name,
+ 'VORNAME' : escape(client.first_name),
+ 'NACHNAME': escape(client.last_name),
'ANGEBOTE': list
}
result = self.template.safe_substitute(s)
Modified: wasko/trunk/waskaweb/templates/statement/list_statements.mako
===================================================================
--- wasko/trunk/waskaweb/templates/statement/list_statements.mako 2009-04-03 12:53:03 UTC (rev 471)
+++ wasko/trunk/waskaweb/templates/statement/list_statements.mako 2009-04-03 13:18:25 UTC (rev 472)
@@ -21,17 +21,8 @@
Erklärung drucken
</a>
</p><br>
-<h2>2. ${_('statement_header_fp')}</h2>
+<h2>2. ${_('statement_header_ud')}</h2>
<p>
-${_('statement_explaination_fp')}
-</p>
-<p>
- <a href="${h.url_for(controller='/statement', action='printAidPlanStatement', id=session.get('case').id)}" target="_blank">
- Erklärung drucken
- </a>
-</p><br>
-<h2>3. ${_('statement_header_ud')}</h2>
-<p>
${_('statement_explaination_ud')}
</p>
<p>
More information about the Mpuls-commits
mailing list