fnp / redakcja.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 58a9ee3)
escape document parameters in xml
authorJan Szejko <janek37@gmail.com>
Wed, 5 Jul 2017 14:24:58 +0000 (16:24 +0200)
committerJan Szejko <janek37@gmail.com>
Wed, 5 Jul 2017 14:24:58 +0000 (16:24 +0200)
apps/catalogue/views.py patch | blob | history

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index 1f3130a..6496742 100644 (file)
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -8,6 +8,7 @@ import os
 import shutil
 import subprocess
 from tempfile import NamedTemporaryFile
 import shutil
 import subprocess
 from tempfile import NamedTemporaryFile
+from xml.sax.saxutils import escape as escape_xml
 
 from django.conf import settings
 from django.contrib import auth
 
 from django.conf import settings
 from django.contrib import auth
@@ -115,17 +116,24 @@ def create_missing(request):
             else:
                 cover_url = ''
 
             else:
                 cover_url = ''
 
-            doc.commit(
-                text='''<section xmlns="http://nowoczesnapolska.org.pl/sst#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+            text = '''<section xmlns="http://nowoczesnapolska.org.pl/sst#" xmlns:dc="http://purl.org/dc/elements/1.1/">
                 <metadata>
                 <metadata>
-                    <dc:publisher>''' + form.cleaned_data['publisher'] + '''</dc:publisher>
-                    <dc:description>''' + form.cleaned_data['description'] + '''</dc:description>
-                    ''' + '\n'.join(tag_form.metadata_rows() for tag_form in tag_forms) + '''
-                    <dc:relation.coverImage.url>''' + cover_url + '''</dc:relation.coverImage.url>
+                    <dc:publisher>%s</dc:publisher>
+                    <dc:description>%s</dc:description>
+                    %s
+                    <dc:relation.coverImage.url>%s</dc:relation.coverImage.url>
                 </metadata>
                 </metadata>
-                <header>''' + title + '''</header>
+                <header>%s</header>
                 <div class="p"> </div>
                 <div class="p"> </div>
-                </section>''',
+                </section>''' % (
+                    escape_xml(form.cleaned_data['publisher']),
+                    escape_xml(form.cleaned_data['description']),
+                    '\n'.join(tag_form.metadata_rows() for tag_form in tag_forms),
+                    escape_xml(cover_url),
+                    escape_xml(title))
+
+            doc.commit(
+                text=text,
                 author=creator
             )
             doc.assigned_to = request.user
                 author=creator
             )
             doc.assigned_to = request.user