def test_newline(self):
"""htmlutils - test if newlines are properly escaped for Javascript strings"""
test_str = "a string with a \n line break in it"
self.assertEqual(escape_javascript_string(test_str), "a string with a \\n line break in it")
test_str = "a string with a \r\n line break in it"
self.assertEqual(escape_javascript_string(test_str), "a string with a \\r\\n line break in it")
test_str = """a string with a \r\n line break and "quote" in it"""
self.assertEqual(escape_javascript_string(test_str), '''a string with a \\r\\n line break and \\"quote\\" in it''')
def test_escape_javascript_string_for_html(self):
"""htmlutils - escaping strings for Javascript, for use in HTML"""
self.assertEqual(escape_javascript_string('''"Are you a Munchkin?" asked Dorothy.
"No, but I am their friend"'''),
'\\"Are you a Munchkin?\\" asked Dorothy.\\n\\"No, but I am their friend\\"')
input_string = '''/*<![CDATA[*/"Your <em>'Silver Shoes'</em> will carry you over the desert,"\r replied Glinda./*]]>*/'''
output_string = """/*<![CDATA[*/\\"Your <em>\\'Silver Shoes\\'</em> will carry you over the desert,\\"\\r replied Glinda./*]]>*/"""
self.assertEqual(escape_javascript_string(input_string), output_string)
def test_escape_closing_script_tag(self):
"""htmlutils - escaping closing </script> tag"""
input_string = '''My string contain some<script>alert(foo)</script> that browser might not like'''
output_string = '''My string contain some<script>alert(foo)</scr'+'ipt> that browser might not like'''
self.assertEqual(escape_javascript_string(input_string,
escape_for_html=False,
escape_CDATA=False,
escape_script_tag_with_quote="'"),
output_string)
output_string = '''My string contain some<script>alert(foo)</scr"+"ipt> that browser might not like'''
self.assertEqual(escape_javascript_string(input_string,
escape_for_html=False,
escape_CDATA=False,
escape_script_tag_with_quote='"'),
output_string)
def wash_for_js(text):
"""
DEPRECATED: use htmlutils.escape_javascript_string() instead,
and take note that returned value is no longer enclosed into
quotes.
"""
from invenio.utils.html import escape_javascript_string
if isinstance(text, six.string_types):
return '"%s"' % escape_javascript_string(text,
escape_for_html=False,
escape_CDATA=False,
escape_script_tag_with_quote=None)
else:
return text
def Create_Modify_Interface(parameters, curdir, form, user_info=None):
"""
Create an interface for the modification of a document, based on
the fields that the user has chosen to modify. This avoids having
to redefine a submission page for the modifications, but rely on
the elements already defined for the initial submission i.e. SBI
action (The only page that needs to be built for the modification
is the page letting the user specify a document to modify).
This function should be added at step 1 of your modification
workflow, after the functions that retrieves report number and
record id (Get_Report_Number, Get_Recid). Functions at step 2 are
the one executed upon successful submission of the form.
Create_Modify_Interface expects the following parameters:
* "fieldnameMBI" - the name of a text file in the submission
working directory that contains a list of the names of the
WebSubmit fields to include in the Modification interface.
These field names are separated by"\n" or "+".
* "prefix" - some content displayed before the main
modification interface. Can contain HTML (i.e. needs to be
pre-escaped). The prefix can make use of Python string
replacement for common values (such as 'rn'). Percent signs
(%) must consequently be escaped (with %%).
* "suffix" - some content displayed after the main modification
interface. Can contain HTML (i.e. needs to be
pre-escaped). The suffix can make use of Python string
replacement for common values (such as 'rn'). Percent signs
(%) must consequently be escaped (with %%).
* "button_label" - the label for the "END" button.
* "button_prefix" - some content displayed before the button to
submit the form. Can contain HTML (i.e. needs to be
pre-escaped). The prefix can make use of Python string
replacement for common values (such as 'rn'). Percent signs
(%) must consequently be escaped (with %%).
* "dates_conversion" - by default, values interpreted as dates
are converted to their 'DD/MM/YYYY' format, whenever
possible. Set another value for a different behaviour
(eg. 'none' for no conversion)
Given the list of WebSubmit fields to be included in the
modification interface, the values for each field are retrieved
for the given record (by way of each WebSubmit field being
configured with a MARC Code in the WebSubmit database). An HTML
FORM is then created. This form allows a user to modify certain
field values for a record.
The file referenced by 'fieldnameMBI' is usually generated from a
multiple select form field): users can then select one or several
fields to modify
Note that the function will display WebSubmit Response elements,
but will not be able to set an initial value: this must be done by
the Response element iteself.
Additionally the function creates an internal field named
'Create_Modify_Interface_DONE' on the interface, that can be
retrieved in curdir after the form has been submitted.
This flag is an indicator for the function that displayed values
should not be retrieved from the database, but from the submitted
values (in case the page is reloaded). You can also rely on this
value when building your WebSubmit Response element in order to
retrieve value either from the record, or from the submission
directory.
"""
ln = wash_language(form['ln'])
_ = gettext_set_language(ln)
global sysno,rn
t = ""
# variables declaration
fieldname = parameters['fieldnameMBI']
prefix = ''
suffix = ''
end_button_label = 'END'
end_button_prefix = ''
date_conversion_setting = ''
if parameters.has_key('prefix'):
prefix = parameters['prefix']
if parameters.has_key('suffix'):
suffix = parameters['suffix']
if parameters.has_key('button_label') and parameters['button_label']:
end_button_label = parameters['button_label']
if parameters.has_key('button_prefix'):
end_button_prefix = parameters['button_prefix']
if parameters.has_key('dates_conversion'):
date_conversion_setting = parameters['dates_conversion']
# Path of file containing fields to modify
the_globals = {
'doctype' : doctype,
'action' : action,
'act' : action, ## for backward compatibility
'step' : step,
'access' : access,
'ln' : ln,
'curdir' : curdir,
'uid' : user_info['uid'],
'uid_email' : user_info['email'],
'rn' : rn,
'last_step' : last_step,
'action_score' : action_score,
'__websubmit_in_jail__' : True,
'form': form,
'sysno': sysno,
'user_info' : user_info,
'__builtins__' : globals()['__builtins__'],
'Request_Print': Request_Print
}
if os.path.exists("%s/%s" % (curdir, fieldname)):
fp = open( "%s/%s" % (curdir, fieldname), "r" )
fieldstext = fp.read()
fp.close()
fieldstext = re.sub("\+","\n", fieldstext)
fields = fieldstext.split("\n")
else:
res = run_sql("SELECT fidesc FROM sbmFIELDDESC WHERE name=%s", (fieldname,))
if len(res) == 1:
fields = res[0][0].replace(" ", "")
fields = re.findall("<optionvalue=.*>", fields)
regexp = re.compile("""<optionvalue=(?P<quote>['|"]?)(?P<value>.*?)(?P=quote)""")
fields = [regexp.search(x) for x in fields]
fields = [x.group("value") for x in fields if x is not None]
fields = [x for x in fields if x not in ("Select", "select")]
else:
raise InvenioWebSubmitFunctionError("cannot find fields to modify")
#output some text
if not prefix:
t += "<center bgcolor=\"white\">The document <b>%s</b> has been found in the database.</center><br />Please modify the following fields:<br />Then press the '%s' button at the bottom of the page<br />\n" % \
(rn, cgi.escape(_(end_button_label)))
else:
t += prefix % the_globals
for field in fields:
subfield = ""
value = ""
marccode = ""
text = ""
# retrieve and display the modification text
t = t + "<FONT color=\"darkblue\">\n"
res = run_sql("SELECT modifytext FROM sbmFIELDDESC WHERE name=%s", (field,))
if len(res)>0:
t = t + "<small>%s</small> </FONT>\n" % (res[0][0] is None and ' ' or res[0][0],)
# retrieve the marc code associated with the field
res = run_sql("SELECT marccode FROM sbmFIELDDESC WHERE name=%s", (field,))
if len(res) > 0:
marccode = res[0][0]
# then retrieve the previous value of the field
if os.path.exists("%s/%s" % (curdir, "Create_Modify_Interface_DONE")):
# Page has been reloaded - get field value from text file on server, not from DB record
value = Create_Modify_Interface_getfieldval_fromfile(curdir, field)
else:
# First call to page - get field value from DB record
value = Create_Modify_Interface_getfieldval_fromDBrec(marccode, sysno)
if date_conversion_setting != 'none':
# If field is a date value, transform date into format DD/MM/YYYY:
value = Create_Modify_Interface_transform_date(value)
res = run_sql("SELECT * FROM sbmFIELDDESC WHERE name=%s", (field,))
if len(res) > 0:
element_type = res[0][3]
numcols = res[0][6]
numrows = res[0][5]
size = res[0][4]
maxlength = res[0][7]
val = res[0][8]
fidesc = res[0][9]
if element_type == "T":
text = "<textarea name=\"%s\" rows=%s cols=%s wrap>%s</textarea>" % (field, numrows, numcols, cgi.escape(value))
elif element_type == "F":
text = "<input type=\"file\" name=\"%s\" size=%s maxlength=\"%s\">" % (field, size, maxlength)
elif element_type == "I":
text = "<input name=\"%s\" size=%s value=\"%s\"> " % (field, size, val and escape_javascript_string(val, escape_quote_for_html=True) or '')
text = text + '''<script type="text/javascript">/*<![CDATA[*/
document.forms[0].%s.value="%s";
/*]]>*/</script>''' % (field, escape_javascript_string(value, escape_for_html=False))
elif element_type == "H":
text = "<input type=\"hidden\" name=\"%s\" value=\"%s\">" % (field, val and escape_javascript_string(val, escape_quote_for_html=True) or '')
text = text + '''<script type="text/javascript">/*<![CDATA[*/
document.forms[0].%s.value="%s";
/*]]>*/</script>''' % (field, escape_javascript_string(value, escape_for_html=False))
elif element_type == "S":
values = re.split("[\n\r]+", value)
text = fidesc
if re.search("%s\[\]" % field, fidesc):
multipletext = "[]"
else:
multipletext = ""
if len(values) > 0 and not(len(values) == 1 and values[0] == ""):
text += '<script type="text/javascript">/*<![CDATA[*/\n'
text += "var i = 0;\n"
text += "el = document.forms[0].elements['%s%s'];\n" % (field, multipletext)
text += "max = el.length;\n"
for val in values:
text += "var found = 0;\n"
text += "var i=0;\n"
text += "while (i != max) {\n"
text += " if (el.options[i].value == \"%s\" || el.options[i].text == \"%s\") {\n" % \
(escape_javascript_string(val, escape_for_html=False), escape_javascript_string(val, escape_for_html=False))
text += " el.options[i].selected = true;\n"
text += " found = 1;\n"
text += " }\n"
text += " i=i+1;\n"
text += "}\n"
#text += "if (found == 0) {\n"
#text += " el[el.length] = new Option(\"%s\", \"%s\", 1,1);\n"
#text += "}\n"
text += "/*]]>*/</script>\n"
elif element_type == "D":
text = fidesc
elif element_type == "R":
try:
co = compile(fidesc.replace("\r\n", "\n"), "<string>", "exec")
## Note this exec is safe WRT global variable because the
## Create_Modify_Interface has already been parsed by
## execfile within a protected environment.
the_globals['text'] = ''
exec co in the_globals
text = the_globals['text']
except:
msg = "Error in evaluating response element %s with globals %s" % (pprint.pformat(field), pprint.pformat(globals()))
register_exception(req=None, alert_admin=True, prefix=msg)
raise InvenioWebSubmitFunctionError(msg)
else:
text = "%s: unknown field type" % field
t = t + "<small>%s</small>" % text
# output our flag field
t += '<input type="hidden" name="Create_Modify_Interface_DONE" value="DONE\n" />'
t += '<br />'
if end_button_prefix:
t += end_button_prefix % the_globals
# output some more text
t += "<br /><CENTER><small><INPUT type=\"button\" width=400 height=50 name=\"End\" value=\"%(end_button_label)s\" onClick=\"document.forms[0].step.value = 2;user_must_confirm_before_leaving_page = false;document.forms[0].submit();\"></small></CENTER></H4>" % {'end_button_label': escape_javascript_string(_(end_button_label), escape_quote_for_html=True)}
if suffix:
t += suffix % the_globals
return t
def format_element(
bfo,
only_public_records=1,
sites="linkedin,twitter,facebook,google,delicious,sciencewise"):
"""Return a snippet of JavaScript needed for displaying a bookmark toolbar.
:param only_public_records: if set to 1 (the default), prints the box only
if the record is public (i.e. if it belongs to the root colletion and
is accessible to the world).
:param sites: which sites to enable (default is
'linkedin,twitter,facebook,google,delicious,sciencewise').
This should be a comma separated list of strings.
Valid values are available on:
<http://keith-wood.name/bookmark.html#sites>
Note that 'sciencewise' is an ad-hoc service that will be displayed
only in case the record has an arXiv reportnumber and will always
be displayed last.
"""
if int(only_public_records) and \
bfo.recID not in get_all_restricted_recids():
return ""
sitelist = sites.split(',')
sitelist = [site.strip().lower() for site in sitelist]
sciencewise = False
if 'sciencewise' in sitelist:
sciencewise = True
sitelist.remove('sciencewise')
sites_js = ", ".join("'%s'" % site for site in sitelist)
title = bfo.field('245__a')
description = bfo.field('520__a')
sciencewise_script = ""
if sciencewise:
reportnumber = get_arxiv_reportnumber(bfo)
sciencewise_url = ""
if reportnumber:
sciencewise_url = create_sciencewise_url(reportnumber)
if not sciencewise_url and CFG_CERN_SITE:
sciencewise_url = create_sciencewise_url(bfo.recID, cds=True)
if sciencewise_url:
sciencewise_script = """\
$.bookmark.addSite('sciencewise', 'ScienceWise.info', '%(siteurl)s/img/sciencewise.png', 'en', 'bookmark', '%(url)s');
$('#bookmark_sciencewise').bookmark({sites: ['sciencewise']});
""" % {
'siteurl': CFG_SITE_URL,
'url': sciencewise_url.replace("'", r"\'"),
}
url = '%(siteurl)s/%(record)s/%(recid)s' % \
{'recid': bfo.recID,
'record': CFG_SITE_RECORD,
'siteurl': CFG_BASE_URL}
args = parse_url_string(bfo.user_info['uri'])
journal_name = args["journal_name"]
if journal_name and \
(journal_name in [info.get('journal_name', '') for info in get_journals_ids_and_names()]):
# We are displaying a WebJournal article: URL is slightly different
url = make_journal_url(bfo.user_info['uri'])
return """\
<!-- JQuery Bookmark Button BEGIN -->
<div id="bookmark"></div><div id="bookmark_sciencewise"></div>
<style type="text/css">
#bookmark_sciencewise, #bookmark { float: left; }
#bookmark_sciencewise li { padding: 2px; width: 25px}
#bookmark_sciencewise ul, #bookmark ul { list-style-image: none; }
</style>
<script type="text/javascript" src="%(siteurl)s/vendors/jquery.bookmark/jquery.bookmark.min.js"></script>
<style type="text/css">@import "%(siteurl)s/vendors/jquery.bookmark/jquery.bookmark.css";</style>
<script type="text/javascript">// <![CDATA[
%(sciencewise)s
$('#bookmark').bookmark({
sites: [%(sites_js)s],
icons: '%(siteurl)s/vendors/jquery.bookmark/bookmarks.png',
url: '%(url)s',
addEmail: true,
title: "%(title)s",
description: "%(description)s"
});
// ]]>
</script>
<!-- JQuery Bookmark Button END -->
""" % {
'siteurl':
CFG_BASE_URL,
'sciencewise':
sciencewise_script,
'title':
escape_javascript_string(
title, escape_for_html=False, escape_CDATA=True),
'description':
escape_javascript_string(
description, escape_for_html=False, escape_CDATA=True),
'sites_js':
sites_js,
'url':
url,
}
def test_escape_javascript_string_for_html_in_tag_attribute(self):
"""htmlutils - escaping closing double quotes for use in HTML tag attribute"""
input_string = '''"Your <em>'Silver Shoes'</em> will carry you over the desert,"\r replied Glinda.'''
output_string = """"Your <em>\\'Silver Shoes\\'</em> will carry you over the desert,"\\r replied Glinda."""
self.assertEqual(escape_javascript_string(input_string, escape_for_html=False, escape_quote_for_html=True),
output_string)
def test_escape_javascript_string_for_javascript_or_json(self):
"""htmlutils - escaping strings for Javascript, for use in "pure" Javscript or JSON output"""
input_string = '''/*<![CDATA[*/"Your <em>'Silver Shoes'</em> will carry you over the desert,"\r replied Glinda./*]]>*/'''
output_string = """/*<![CDATA[*/\\"Your <em>\\'Silver Shoes\\'</em> will carry you over the desert,\\"\\r replied Glinda./*]]>*/"""
self.assertEqual(escape_javascript_string(input_string, escape_for_html=False, escape_CDATA=False),
output_string)
def test_escape_javascript_string_for_html_in_cdata(self):
"""htmlutils - escaping strings for Javascript, for use in HTML, in CDATA sections"""
input_string = '''/*<![CDATA[*/"Your <em>'Silver Shoes'</em> will carry you over the desert,"\r replied Glinda./*]]>*/'''
output_string = """/*<![CDATA[*/\\"Your <em>\\'Silver Shoes\\'</em> will carry you over the desert,\\"\\r replied Glinda./*]]]]><![CDATA[>*/"""
self.assertEqual(escape_javascript_string(input_string, escape_for_html=False, escape_CDATA=True),
output_string)
def format_element(bfo, only_public_records=1, sites="linkedin,twitter,facebook,google,delicious,sciencewise"):
"""
Return a snippet of JavaScript needed for displaying a bookmark toolbar
@param only_public_records: if set to 1 (the default), prints the box only
if the record is public (i.e. if it belongs to the root colletion and is
accessible to the world).
@param sites: which sites to enable (default is 'linkedin,twitter,facebook,google,delicious,sciencewise'). This should be a
comma separated list of strings.
Valid values are available on:
<http://keith-wood.name/bookmark.html#sites>
Note that 'sciencewise' is an ad-hoc service that will be displayed
only in case the record has an arXiv reportnumber and will always
be displayed last.
"""
if int(only_public_records) and not record_public_p(bfo.recID):
return ""
sitelist = sites.split(',')
sitelist = [site.strip().lower() for site in sitelist]
sciencewise = False
if 'sciencewise' in sitelist:
sciencewise = True
sitelist.remove('sciencewise')
sites_js = ", ".join("'%s'" % site for site in sitelist)
title = bfo.field('245__a')
description = bfo.field('520__a')
sciencewise_script = ""
if sciencewise:
reportnumber = get_arxiv_reportnumber(bfo)
sciencewise_url = ""
if reportnumber:
sciencewise_url = create_sciencewise_url(reportnumber)
if not sciencewise_url and CFG_CERN_SITE:
sciencewise_url = create_sciencewise_url(bfo.recID, cds=True)
if sciencewise_url:
sciencewise_script = """\
$.bookmark.addSite('sciencewise', 'ScienceWise.info', '%(siteurl)s/img/sciencewise.png', 'en', 'bookmark', '%(url)s');
$('#bookmark_sciencewise').bookmark({sites: ['sciencewise']});
""" % {
'siteurl': CFG_SITE_URL,
'url': sciencewise_url.replace("'", r"\'"),
}
url = '%(siteurl)s/%(record)s/%(recid)s' % \
{'recid': bfo.recID,
'record': CFG_SITE_RECORD,
'siteurl': CFG_SITE_URL}
args = parse_url_string(bfo.user_info['uri'])
journal_name = args["journal_name"]
if journal_name and \
(journal_name in [info.get('journal_name', '') for info in get_journals_ids_and_names()]):
# We are displaying a WebJournal article: URL is slightly different
url = make_journal_url(bfo.user_info['uri'])
return """\
<!-- JQuery Bookmark Button BEGIN -->
<div id="bookmark"></div><div id="bookmark_sciencewise"></div>
<style type="text/css">
#bookmark_sciencewise, #bookmark { float: left; }
#bookmark_sciencewise li { padding: 2px; width: 25px}
#bookmark_sciencewise ul, #bookmark ul { list-style-image: none; }
</style>
<script type="text/javascript" src="%(siteurl)s/js/jquery.bookmark.min.js"></script>
<style type="text/css">@import "%(siteurl)s/css/jquery.bookmark.css";</style>
<script type="text/javascript">// <![CDATA[
%(sciencewise)s
$('#bookmark').bookmark({
sites: [%(sites_js)s],
icons: '%(siteurl)s/img/bookmarks.png',
url: '%(url)s',
addEmail: true,
title: "%(title)s",
description: "%(description)s"
});
// ]]>
</script>
<!-- JQuery Bookmark Button END -->
""" % {
'siteurl': CFG_SITE_URL,
'sciencewise': sciencewise_script,
'title': escape_javascript_string(title,
escape_for_html=False,
escape_CDATA=True),
'description': escape_javascript_string(description,
escape_for_html=False,
escape_CDATA=True),
'sites_js': sites_js,
'url': url,
}
