Escape HTML characters in metas headers
authorThierry Florac <tflorac@ulthar.net>
Wed, 23 Jan 2019 10:24:22 +0100
changeset 513 39d19a6997e5
parent 512 be497ced7ca2
child 514 824f546d4a67
Escape HTML characters in metas headers
src/pyams_skin/metas.py
--- a/src/pyams_skin/metas.py	Fri Jan 18 15:35:32 2019 +0100
+++ b/src/pyams_skin/metas.py	Wed Jan 23 10:24:22 2019 +0100
@@ -12,6 +12,8 @@
 
 __docformat__ = 'restructuredtext'
 
+from html import escape
+
 from pyramid.interfaces import IRequest
 from zope.interface import Interface, implementer
 
@@ -47,13 +49,17 @@
 # Custom metas headers
 #
 
+def escape_value(value):
+    return escape(value) if isinstance(value, str) else value
+
+
 @implementer(IMetaHeader)
 class HTMLTagMeta(object):
     """HTML tag meta header"""
 
     def __init__(self, tag, content, **attrs):
         self.tag = tag
-        self.content = content
+        self.content = escape_value(content)
         self.attrs = attrs
 
     def render(self):
@@ -69,7 +75,7 @@
 
     def __init__(self, http_equiv, value):
         self.http_equiv = http_equiv
-        self.value = value
+        self.value = escape_value(value)
 
     def render(self):
         return '''<meta http-equiv="{http_equiv}" content="{value}" />'''.format(http_equiv=self.http_equiv,
@@ -82,7 +88,7 @@
 
     def __init__(self, name, value):
         self.name = name
-        self.value = value
+        self.value = escape_value(value)
 
     def render(self):
         return '''<meta {name}="{value}" />'''.format(name=self.name,
@@ -95,7 +101,7 @@
 
     def __init__(self, name, value):
         self.name = name
-        self.value = value
+        self.value = escape_value(value)
 
     def render(self):
         return '''<meta name="{name}" content="{value}" />'''.format(name=self.name,
@@ -108,7 +114,7 @@
 
     def __init__(self, property, value):
         self.property = property
-        self.value = value
+        self.value = escape_value(value)
 
     def render(self):
         return '''<meta property="{property}" content="{value}" />'''.format(property=self.property,
@@ -121,7 +127,7 @@
 
     def __init__(self, name, value):
         self.name = name
-        self.value = value
+        self.value = escape_value(value)
 
     def render(self):
         return '''<meta itemprop="{name}" content="{value}" />'''.format(name=self.name,
@@ -135,7 +141,7 @@
     def __init__(self, rel, type, href):
         self.rel = rel
         self.type = type
-        self.href = href
+        self.href = escape_value(href)
 
     def render(self):
         return '''<link rel="{rel}" type="{type}" href="{href}" />'''.format(rel=self.rel,