[Sugar-devel] [PATCH] TurtleArt - escaping HTML entities while exporting to HTML #sl1854

[Tim McNamara]

This patch attempts to fix http://bugs.sugarlabs.org/ticket/1854. It assumes
that the only place where <, >, & could enter the file in a troublesome
manner is when the TurtleArt code is being imported into the content <div>.

Author: Tim McNamara <paperless at timmcnamara.co.nz>
Date:   Sat Jul 3 19:00:34 2010 +1200

    HTML chars escaped in TA code <, >, &

    This commit utilises cgi.escape to escape troublesome HTML
    entities. The only place where this function is called is
    when the Turtleart code is being extracted and presented
    in a <div>. The SVG input is assumed to be clean - escaping
    those chars would result in the XML text being rendered
    rather than the image.


diff --git a/taexporthtml.py b/taexporthtml.py
index 5a0d163..47577f0 100644
--- a/taexporthtml.py
+++ b/taexporthtml.py
@@ -24,6 +24,7 @@ import gtk
 import os.path
 from tautils import data_to_string, save_picture, image_to_base64
 from gettext import gettext as _
+from cgi import escape

 def save_html(self, tw, embed_flag=True):
     """ Either: Save canvas and code or pictures to HTML """
@@ -114,7 +115,7 @@ def save_html(self, tw, embed_flag=True):
         code += (self.html_glue['img'][0] + imgdata + \
                  self.html_glue['img'][1])
         code += self.html_glue['div'][0]
-        code += data_to_string(tw.assemble_data_to_save(False, True))
+        code += escape(data_to_string(tw.assemble_data_to_save(False,
True)))
         code += self.html_glue['div'][1]

     if tw.running_sugar:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sugarlabs.org/archive/sugar-devel/attachments/20100703/1b814694/attachment.htm