X-Git-Url: https://git.mdrn.pl/redakcja.git/blobdiff_plain/064e541400f652aaa3ba6f954a97fafecb013648..6aee354fa005fec3fa02a7596e87fef27b78dac1:/apps/catalogue/views.py

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index 64e39f67..64967420 100644
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -8,6 +8,7 @@ import os
 import shutil
 import subprocess
 from tempfile import NamedTemporaryFile
+from xml.sax.saxutils import escape as escape_xml
 
 from django.conf import settings
 from django.contrib import auth
@@ -115,17 +116,24 @@ def create_missing(request):
             else:
                 cover_url = ''
 
-            doc.commit(
-                text='''<section xmlns="http://nowoczesnapolska.org.pl/sst#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+            text = '''<section xmlns="http://nowoczesnapolska.org.pl/sst#" xmlns:dc="http://purl.org/dc/elements/1.1/">
                 <metadata>
-                    <dc:publisher>''' + form.cleaned_data['publisher'] + '''</dc:publisher>
-                    <dc:description>''' + form.cleaned_data['description'] + '''</dc:description>
-                    ''' + '\n'.join(tag_form.metadata_rows() for tag_form in tag_forms) + '''
-                    <dc:relation.coverImage.url>''' + cover_url + '''</dc:relation.coverImage.url>
+                    <dc:publisher>%s</dc:publisher>
+                    <dc:description>%s</dc:description>
+                    %s
+                    <dc:relation.coverImage.url>%s</dc:relation.coverImage.url>
                 </metadata>
-                <header>''' + title + '''</header>
+                <header>%s</header>
                 <div class="p"> </div>
-                </section>''',
+                </section>''' % (
+                    escape_xml(form.cleaned_data['publisher']),
+                    escape_xml(form.cleaned_data['description']),
+                    '\n'.join(tag_form.metadata_rows() for tag_form in tag_forms),
+                    escape_xml(cover_url),
+                    escape_xml(title))
+
+            doc.commit(
+                text=text,
                 author=creator
             )
             doc.assigned_to = request.user
@@ -514,6 +522,7 @@ def upcoming(request):
     f = DocumentFilterSet(request.GET, queryset=Document.objects.filter(deleted=False).filter(publish_log=None))
     return render(request, "catalogue/upcoming.html", {
         'filter_set': f,
+        'link_url': 'catalogue_preview',
     })
 
 
@@ -521,4 +530,5 @@ def finished(request):
     f = DocumentFilterSet(request.GET, queryset=Document.objects.filter(deleted=False).exclude(publish_log=None))
     return render(request, "catalogue/finished.html", {
         'filter_set': f,
+        'link_url': 'catalogue_html',
     })