def test_newline(self): """htmlutils - test if newlines are properly escaped for Javascript strings""" test_str = "a string with a \n line break in it" self.assertEqual(escape_javascript_string(test_str), "a string with a \\n line break in it") test_str = "a string with a \r\n line break in it" self.assertEqual(escape_javascript_string(test_str), "a string with a \\r\\n line break in it") test_str = """a string with a \r\n line break and "quote" in it""" self.assertEqual(escape_javascript_string(test_str), '''a string with a \\r\\n line break and \\"quote\\" in it''')
def test_escape_javascript_string_for_html(self): """htmlutils - escaping strings for Javascript, for use in HTML""" self.assertEqual(escape_javascript_string('''"Are you a Munchkin?" asked Dorothy. "No, but I am their friend"'''), '\\"Are you a Munchkin?\\" asked Dorothy.\\n\\"No, but I am their friend\\"') input_string = '''/*<![CDATA[*/"Your <em>'Silver Shoes'</em> will carry you over the desert,"\r replied Glinda./*]]>*/''' output_string = """/*<![CDATA[*/\\"Your <em>\\'Silver Shoes\\'</em> will carry you over the desert,\\"\\r replied Glinda./*]]>*/""" self.assertEqual(escape_javascript_string(input_string), output_string)
def test_escape_closing_script_tag(self): """htmlutils - escaping closing </script> tag""" input_string = '''My string contain some<script>alert(foo)</script> that browser might not like''' output_string = '''My string contain some<script>alert(foo)</scr'+'ipt> that browser might not like''' self.assertEqual(escape_javascript_string(input_string, escape_for_html=False, escape_CDATA=False, escape_script_tag_with_quote="'"), output_string) output_string = '''My string contain some<script>alert(foo)</scr"+"ipt> that browser might not like''' self.assertEqual(escape_javascript_string(input_string, escape_for_html=False, escape_CDATA=False, escape_script_tag_with_quote='"'), output_string)
def wash_for_js(text): """ DEPRECATED: use htmlutils.escape_javascript_string() instead, and take note that returned value is no longer enclosed into quotes. """ from invenio.utils.html import escape_javascript_string if isinstance(text, six.string_types): return '"%s"' % escape_javascript_string(text, escape_for_html=False, escape_CDATA=False, escape_script_tag_with_quote=None) else: return text
def Create_Modify_Interface(parameters, curdir, form, user_info=None): """ Create an interface for the modification of a document, based on the fields that the user has chosen to modify. This avoids having to redefine a submission page for the modifications, but rely on the elements already defined for the initial submission i.e. SBI action (The only page that needs to be built for the modification is the page letting the user specify a document to modify). This function should be added at step 1 of your modification workflow, after the functions that retrieves report number and record id (Get_Report_Number, Get_Recid). Functions at step 2 are the one executed upon successful submission of the form. Create_Modify_Interface expects the following parameters: * "fieldnameMBI" - the name of a text file in the submission working directory that contains a list of the names of the WebSubmit fields to include in the Modification interface. These field names are separated by"\n" or "+". * "prefix" - some content displayed before the main modification interface. Can contain HTML (i.e. needs to be pre-escaped). The prefix can make use of Python string replacement for common values (such as 'rn'). Percent signs (%) must consequently be escaped (with %%). * "suffix" - some content displayed after the main modification interface. Can contain HTML (i.e. needs to be pre-escaped). The suffix can make use of Python string replacement for common values (such as 'rn'). Percent signs (%) must consequently be escaped (with %%). * "button_label" - the label for the "END" button. * "button_prefix" - some content displayed before the button to submit the form. Can contain HTML (i.e. needs to be pre-escaped). The prefix can make use of Python string replacement for common values (such as 'rn'). Percent signs (%) must consequently be escaped (with %%). * "dates_conversion" - by default, values interpreted as dates are converted to their 'DD/MM/YYYY' format, whenever possible. Set another value for a different behaviour (eg. 'none' for no conversion) Given the list of WebSubmit fields to be included in the modification interface, the values for each field are retrieved for the given record (by way of each WebSubmit field being configured with a MARC Code in the WebSubmit database). An HTML FORM is then created. This form allows a user to modify certain field values for a record. The file referenced by 'fieldnameMBI' is usually generated from a multiple select form field): users can then select one or several fields to modify Note that the function will display WebSubmit Response elements, but will not be able to set an initial value: this must be done by the Response element iteself. Additionally the function creates an internal field named 'Create_Modify_Interface_DONE' on the interface, that can be retrieved in curdir after the form has been submitted. This flag is an indicator for the function that displayed values should not be retrieved from the database, but from the submitted values (in case the page is reloaded). You can also rely on this value when building your WebSubmit Response element in order to retrieve value either from the record, or from the submission directory. """ ln = wash_language(form['ln']) _ = gettext_set_language(ln) global sysno,rn t = "" # variables declaration fieldname = parameters['fieldnameMBI'] prefix = '' suffix = '' end_button_label = 'END' end_button_prefix = '' date_conversion_setting = '' if parameters.has_key('prefix'): prefix = parameters['prefix'] if parameters.has_key('suffix'): suffix = parameters['suffix'] if parameters.has_key('button_label') and parameters['button_label']: end_button_label = parameters['button_label'] if parameters.has_key('button_prefix'): end_button_prefix = parameters['button_prefix'] if parameters.has_key('dates_conversion'): date_conversion_setting = parameters['dates_conversion'] # Path of file containing fields to modify the_globals = { 'doctype' : doctype, 'action' : action, 'act' : action, ## for backward compatibility 'step' : step, 'access' : access, 'ln' : ln, 'curdir' : curdir, 'uid' : user_info['uid'], 'uid_email' : user_info['email'], 'rn' : rn, 'last_step' : last_step, 'action_score' : action_score, '__websubmit_in_jail__' : True, 'form': form, 'sysno': sysno, 'user_info' : user_info, '__builtins__' : globals()['__builtins__'], 'Request_Print': Request_Print } if os.path.exists("%s/%s" % (curdir, fieldname)): fp = open( "%s/%s" % (curdir, fieldname), "r" ) fieldstext = fp.read() fp.close() fieldstext = re.sub("\+","\n", fieldstext) fields = fieldstext.split("\n") else: res = run_sql("SELECT fidesc FROM sbmFIELDDESC WHERE name=%s", (fieldname,)) if len(res) == 1: fields = res[0][0].replace(" ", "") fields = re.findall("<optionvalue=.*>", fields) regexp = re.compile("""<optionvalue=(?P<quote>['|"]?)(?P<value>.*?)(?P=quote)""") fields = [regexp.search(x) for x in fields] fields = [x.group("value") for x in fields if x is not None] fields = [x for x in fields if x not in ("Select", "select")] else: raise InvenioWebSubmitFunctionError("cannot find fields to modify") #output some text if not prefix: t += "<center bgcolor=\"white\">The document <b>%s</b> has been found in the database.</center><br />Please modify the following fields:<br />Then press the '%s' button at the bottom of the page<br />\n" % \ (rn, cgi.escape(_(end_button_label))) else: t += prefix % the_globals for field in fields: subfield = "" value = "" marccode = "" text = "" # retrieve and display the modification text t = t + "<FONT color=\"darkblue\">\n" res = run_sql("SELECT modifytext FROM sbmFIELDDESC WHERE name=%s", (field,)) if len(res)>0: t = t + "<small>%s</small> </FONT>\n" % (res[0][0] is None and ' ' or res[0][0],) # retrieve the marc code associated with the field res = run_sql("SELECT marccode FROM sbmFIELDDESC WHERE name=%s", (field,)) if len(res) > 0: marccode = res[0][0] # then retrieve the previous value of the field if os.path.exists("%s/%s" % (curdir, "Create_Modify_Interface_DONE")): # Page has been reloaded - get field value from text file on server, not from DB record value = Create_Modify_Interface_getfieldval_fromfile(curdir, field) else: # First call to page - get field value from DB record value = Create_Modify_Interface_getfieldval_fromDBrec(marccode, sysno) if date_conversion_setting != 'none': # If field is a date value, transform date into format DD/MM/YYYY: value = Create_Modify_Interface_transform_date(value) res = run_sql("SELECT * FROM sbmFIELDDESC WHERE name=%s", (field,)) if len(res) > 0: element_type = res[0][3] numcols = res[0][6] numrows = res[0][5] size = res[0][4] maxlength = res[0][7] val = res[0][8] fidesc = res[0][9] if element_type == "T": text = "<textarea name=\"%s\" rows=%s cols=%s wrap>%s</textarea>" % (field, numrows, numcols, cgi.escape(value)) elif element_type == "F": text = "<input type=\"file\" name=\"%s\" size=%s maxlength=\"%s\">" % (field, size, maxlength) elif element_type == "I": text = "<input name=\"%s\" size=%s value=\"%s\"> " % (field, size, val and escape_javascript_string(val, escape_quote_for_html=True) or '') text = text + '''<script type="text/javascript">/*<![CDATA[*/ document.forms[0].%s.value="%s"; /*]]>*/</script>''' % (field, escape_javascript_string(value, escape_for_html=False)) elif element_type == "H": text = "<input type=\"hidden\" name=\"%s\" value=\"%s\">" % (field, val and escape_javascript_string(val, escape_quote_for_html=True) or '') text = text + '''<script type="text/javascript">/*<![CDATA[*/ document.forms[0].%s.value="%s"; /*]]>*/</script>''' % (field, escape_javascript_string(value, escape_for_html=False)) elif element_type == "S": values = re.split("[\n\r]+", value) text = fidesc if re.search("%s\[\]" % field, fidesc): multipletext = "[]" else: multipletext = "" if len(values) > 0 and not(len(values) == 1 and values[0] == ""): text += '<script type="text/javascript">/*<![CDATA[*/\n' text += "var i = 0;\n" text += "el = document.forms[0].elements['%s%s'];\n" % (field, multipletext) text += "max = el.length;\n" for val in values: text += "var found = 0;\n" text += "var i=0;\n" text += "while (i != max) {\n" text += " if (el.options[i].value == \"%s\" || el.options[i].text == \"%s\") {\n" % \ (escape_javascript_string(val, escape_for_html=False), escape_javascript_string(val, escape_for_html=False)) text += " el.options[i].selected = true;\n" text += " found = 1;\n" text += " }\n" text += " i=i+1;\n" text += "}\n" #text += "if (found == 0) {\n" #text += " el[el.length] = new Option(\"%s\", \"%s\", 1,1);\n" #text += "}\n" text += "/*]]>*/</script>\n" elif element_type == "D": text = fidesc elif element_type == "R": try: co = compile(fidesc.replace("\r\n", "\n"), "<string>", "exec") ## Note this exec is safe WRT global variable because the ## Create_Modify_Interface has already been parsed by ## execfile within a protected environment. the_globals['text'] = '' exec co in the_globals text = the_globals['text'] except: msg = "Error in evaluating response element %s with globals %s" % (pprint.pformat(field), pprint.pformat(globals())) register_exception(req=None, alert_admin=True, prefix=msg) raise InvenioWebSubmitFunctionError(msg) else: text = "%s: unknown field type" % field t = t + "<small>%s</small>" % text # output our flag field t += '<input type="hidden" name="Create_Modify_Interface_DONE" value="DONE\n" />' t += '<br />' if end_button_prefix: t += end_button_prefix % the_globals # output some more text t += "<br /><CENTER><small><INPUT type=\"button\" width=400 height=50 name=\"End\" value=\"%(end_button_label)s\" onClick=\"document.forms[0].step.value = 2;user_must_confirm_before_leaving_page = false;document.forms[0].submit();\"></small></CENTER></H4>" % {'end_button_label': escape_javascript_string(_(end_button_label), escape_quote_for_html=True)} if suffix: t += suffix % the_globals return t
def format_element( bfo, only_public_records=1, sites="linkedin,twitter,facebook,google,delicious,sciencewise"): """Return a snippet of JavaScript needed for displaying a bookmark toolbar. :param only_public_records: if set to 1 (the default), prints the box only if the record is public (i.e. if it belongs to the root colletion and is accessible to the world). :param sites: which sites to enable (default is 'linkedin,twitter,facebook,google,delicious,sciencewise'). This should be a comma separated list of strings. Valid values are available on: <http://keith-wood.name/bookmark.html#sites> Note that 'sciencewise' is an ad-hoc service that will be displayed only in case the record has an arXiv reportnumber and will always be displayed last. """ if int(only_public_records) and \ bfo.recID not in get_all_restricted_recids(): return "" sitelist = sites.split(',') sitelist = [site.strip().lower() for site in sitelist] sciencewise = False if 'sciencewise' in sitelist: sciencewise = True sitelist.remove('sciencewise') sites_js = ", ".join("'%s'" % site for site in sitelist) title = bfo.field('245__a') description = bfo.field('520__a') sciencewise_script = "" if sciencewise: reportnumber = get_arxiv_reportnumber(bfo) sciencewise_url = "" if reportnumber: sciencewise_url = create_sciencewise_url(reportnumber) if not sciencewise_url and CFG_CERN_SITE: sciencewise_url = create_sciencewise_url(bfo.recID, cds=True) if sciencewise_url: sciencewise_script = """\ $.bookmark.addSite('sciencewise', 'ScienceWise.info', '%(siteurl)s/img/sciencewise.png', 'en', 'bookmark', '%(url)s'); $('#bookmark_sciencewise').bookmark({sites: ['sciencewise']}); """ % { 'siteurl': CFG_SITE_URL, 'url': sciencewise_url.replace("'", r"\'"), } url = '%(siteurl)s/%(record)s/%(recid)s' % \ {'recid': bfo.recID, 'record': CFG_SITE_RECORD, 'siteurl': CFG_BASE_URL} args = parse_url_string(bfo.user_info['uri']) journal_name = args["journal_name"] if journal_name and \ (journal_name in [info.get('journal_name', '') for info in get_journals_ids_and_names()]): # We are displaying a WebJournal article: URL is slightly different url = make_journal_url(bfo.user_info['uri']) return """\ <!-- JQuery Bookmark Button BEGIN --> <div id="bookmark"></div><div id="bookmark_sciencewise"></div> <style type="text/css"> #bookmark_sciencewise, #bookmark { float: left; } #bookmark_sciencewise li { padding: 2px; width: 25px} #bookmark_sciencewise ul, #bookmark ul { list-style-image: none; } </style> <script type="text/javascript" src="%(siteurl)s/vendors/jquery.bookmark/jquery.bookmark.min.js"></script> <style type="text/css">@import "%(siteurl)s/vendors/jquery.bookmark/jquery.bookmark.css";</style> <script type="text/javascript">// <![CDATA[ %(sciencewise)s $('#bookmark').bookmark({ sites: [%(sites_js)s], icons: '%(siteurl)s/vendors/jquery.bookmark/bookmarks.png', url: '%(url)s', addEmail: true, title: "%(title)s", description: "%(description)s" }); // ]]> </script> <!-- JQuery Bookmark Button END --> """ % { 'siteurl': CFG_BASE_URL, 'sciencewise': sciencewise_script, 'title': escape_javascript_string( title, escape_for_html=False, escape_CDATA=True), 'description': escape_javascript_string( description, escape_for_html=False, escape_CDATA=True), 'sites_js': sites_js, 'url': url, }
def test_escape_javascript_string_for_html_in_tag_attribute(self): """htmlutils - escaping closing double quotes for use in HTML tag attribute""" input_string = '''"Your <em>'Silver Shoes'</em> will carry you over the desert,"\r replied Glinda.''' output_string = """"Your <em>\\'Silver Shoes\\'</em> will carry you over the desert,"\\r replied Glinda.""" self.assertEqual(escape_javascript_string(input_string, escape_for_html=False, escape_quote_for_html=True), output_string)
def test_escape_javascript_string_for_javascript_or_json(self): """htmlutils - escaping strings for Javascript, for use in "pure" Javscript or JSON output""" input_string = '''/*<![CDATA[*/"Your <em>'Silver Shoes'</em> will carry you over the desert,"\r replied Glinda./*]]>*/''' output_string = """/*<![CDATA[*/\\"Your <em>\\'Silver Shoes\\'</em> will carry you over the desert,\\"\\r replied Glinda./*]]>*/""" self.assertEqual(escape_javascript_string(input_string, escape_for_html=False, escape_CDATA=False), output_string)
def test_escape_javascript_string_for_html_in_cdata(self): """htmlutils - escaping strings for Javascript, for use in HTML, in CDATA sections""" input_string = '''/*<![CDATA[*/"Your <em>'Silver Shoes'</em> will carry you over the desert,"\r replied Glinda./*]]>*/''' output_string = """/*<![CDATA[*/\\"Your <em>\\'Silver Shoes\\'</em> will carry you over the desert,\\"\\r replied Glinda./*]]]]><![CDATA[>*/""" self.assertEqual(escape_javascript_string(input_string, escape_for_html=False, escape_CDATA=True), output_string)
def format_element(bfo, only_public_records=1, sites="linkedin,twitter,facebook,google,delicious,sciencewise"): """ Return a snippet of JavaScript needed for displaying a bookmark toolbar @param only_public_records: if set to 1 (the default), prints the box only if the record is public (i.e. if it belongs to the root colletion and is accessible to the world). @param sites: which sites to enable (default is 'linkedin,twitter,facebook,google,delicious,sciencewise'). This should be a comma separated list of strings. Valid values are available on: <http://keith-wood.name/bookmark.html#sites> Note that 'sciencewise' is an ad-hoc service that will be displayed only in case the record has an arXiv reportnumber and will always be displayed last. """ if int(only_public_records) and not record_public_p(bfo.recID): return "" sitelist = sites.split(',') sitelist = [site.strip().lower() for site in sitelist] sciencewise = False if 'sciencewise' in sitelist: sciencewise = True sitelist.remove('sciencewise') sites_js = ", ".join("'%s'" % site for site in sitelist) title = bfo.field('245__a') description = bfo.field('520__a') sciencewise_script = "" if sciencewise: reportnumber = get_arxiv_reportnumber(bfo) sciencewise_url = "" if reportnumber: sciencewise_url = create_sciencewise_url(reportnumber) if not sciencewise_url and CFG_CERN_SITE: sciencewise_url = create_sciencewise_url(bfo.recID, cds=True) if sciencewise_url: sciencewise_script = """\ $.bookmark.addSite('sciencewise', 'ScienceWise.info', '%(siteurl)s/img/sciencewise.png', 'en', 'bookmark', '%(url)s'); $('#bookmark_sciencewise').bookmark({sites: ['sciencewise']}); """ % { 'siteurl': CFG_SITE_URL, 'url': sciencewise_url.replace("'", r"\'"), } url = '%(siteurl)s/%(record)s/%(recid)s' % \ {'recid': bfo.recID, 'record': CFG_SITE_RECORD, 'siteurl': CFG_SITE_URL} args = parse_url_string(bfo.user_info['uri']) journal_name = args["journal_name"] if journal_name and \ (journal_name in [info.get('journal_name', '') for info in get_journals_ids_and_names()]): # We are displaying a WebJournal article: URL is slightly different url = make_journal_url(bfo.user_info['uri']) return """\ <!-- JQuery Bookmark Button BEGIN --> <div id="bookmark"></div><div id="bookmark_sciencewise"></div> <style type="text/css"> #bookmark_sciencewise, #bookmark { float: left; } #bookmark_sciencewise li { padding: 2px; width: 25px} #bookmark_sciencewise ul, #bookmark ul { list-style-image: none; } </style> <script type="text/javascript" src="%(siteurl)s/js/jquery.bookmark.min.js"></script> <style type="text/css">@import "%(siteurl)s/css/jquery.bookmark.css";</style> <script type="text/javascript">// <![CDATA[ %(sciencewise)s $('#bookmark').bookmark({ sites: [%(sites_js)s], icons: '%(siteurl)s/img/bookmarks.png', url: '%(url)s', addEmail: true, title: "%(title)s", description: "%(description)s" }); // ]]> </script> <!-- JQuery Bookmark Button END --> """ % { 'siteurl': CFG_SITE_URL, 'sciencewise': sciencewise_script, 'title': escape_javascript_string(title, escape_for_html=False, escape_CDATA=True), 'description': escape_javascript_string(description, escape_for_html=False, escape_CDATA=True), 'sites_js': sites_js, 'url': url, }