From: martin@piware.de <>
Date: Thu, 26 Nov 2009 07:31:57 +0000 (+0100)
Subject: workitems: HTML-escape text fields
X-Git-Url: https://piware.de/gitweb/?a=commitdiff_plain;h=b6192f3ac3d2c7bae6f3a7571399567bbd18f3ff;p=bin.git

workitems: HTML-escape text fields
---

diff --git a/workitems.py b/workitems.py
index aa21e65..6e5777d 100755
--- a/workitems.py
+++ b/workitems.py
@@ -2,6 +2,7 @@
 
 import urllib, re, sys, optparse, os.path, datetime
 import sqlite3 as dbapi2
+from xml.sax.saxutils import escape
 
 blueprints_base_url = 'https://blueprints.launchpad.net'
 
@@ -439,11 +440,11 @@ def html(db):
         if bp.startswith('http:'):
             url = bp
         else:
-            url = '%s/ubuntu/+spec/%s' % (blueprints_base_url, bp)
+            url = '%s/ubuntu/+spec/%s' % (blueprints_base_url, escape(bp))
         print '  <tr><td><a href="%s">%s</a></td> <td>%i/%i/%i</td> <td>%i%%</td> <td>%s</td></tr>' % (
-                url, bp, data[bp][0], data[bp][2],
+                url, escape(bp), data[bp][0], data[bp][2],
                 data[bp][1], percent,
-                data[bp][-1])
+                escape(data[bp][-1]))
 
     print '</table>'
 
@@ -464,7 +465,7 @@ def html(db):
     for (a, percent) in completion:
         url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, a)
         print '  <tr><td><a href="%s">%s</a></td> <td>%i/%i/%i</td> <td>%i%%</td></tr>' % (
-                url, a, data[a][0], data[a][2],
+                url, escape(a), data[a][0], data[a][2],
                 data[a][1], percent)
     print '</table>'