Call cgi.escape only on python 2. Replace with html.escapeif it can be

found.

Author: rouilj

roundup/cgi/TAL/TALGenerator.py

@@ -25,6 +25,11 @@
 from .TALDefs import parseSubstitution
 from .TranslationContext import TranslationContext, DEFAULT_DOMAIN
 
+try:
+    from html import escape as html_escape  # python 3
+except ImportError:
+    from cgi import escape as html_escape   # python 2 fallback
+
 I18N_REPLACE = 1
 I18N_CONTENT = 2
 I18N_EXPRESSION = 3
@@ -261,7 +266,7 @@ def emitRawText(self, text):
         self.emit("rawtext", text)
 
     def emitText(self, text):
-        self.emitRawText(cgi.escape(text))
+        self.emitRawText(html_escape(text))
 
     def emitDefines(self, defines):
         for part in TALDefs.splitParts(defines):

roundup/cgi/actions.py

@@ -11,6 +11,11 @@
 from roundup.anypy.strings import StringIO
 import roundup.anypy.random_ as random_
 
+try:
+    from html import escape as html_escape  # python 3
+except ImportError:
+    from cgi import escape as html_escape   # python 2 fallback
+
 import time
 from datetime import timedelta
 
@@ -1351,7 +1356,7 @@ def handle(self):
                 self.client.response_code = 400
                 raise exceptions.NotFound(
                     self._('Column "%(column)s" not found in %(class)s')
-                    % {'column': cgi.escape(cname), 'class': request.classname})
+                    % {'column': html_escape(cname), 'class': request.classname})
 
         # full-text search
         if request.search_text:
@@ -1506,7 +1511,7 @@ def handle(self):
                 self.client.response_code = 400
                 raise exceptions.NotFound(
                     self._('Column "%(column)s" not found in %(class)s')
-                    % {'column': cgi.escape(cname), 'class': request.classname})
+                    % {'column': html_escape(cname), 'class': request.classname})
 
         # full-text search
         if request.search_text:

roundup/cgi/cgitb.py

@@ -10,6 +10,11 @@
 import sys, os, keyword, linecache, tokenize, inspect, cgi
 import pydoc, traceback
 
+try:
+    from html import escape as html_escape  # python 3
+except ImportError:
+    from cgi import escape as html_escape   # python 2 fallback
+
 from roundup.cgi import templating, TranslationService
 from roundup.anypy.strings import s2b
 
@@ -41,12 +46,12 @@ def niceDict(indent, dict):
     for k in sorted(dict):
         v = dict[k]
         l.append('<tr><td><strong>%s</strong></td><td>%s</td></tr>'%(k,
-            cgi.escape(repr(v))))
+            html_escape(repr(v))))
     return '\n'.join(l)
 
 def pt_html(context=5, i18n=None):
     _ = get_translator(i18n)
-    esc = cgi.escape
+    esc = html_escape
     exc_info = [esc(str(value)) for value in sys.exc_info()[:2]]
     l = [_('<h1>Templating Error</h1>\n'
             '<p><b>%(exc_type)s</b>: %(exc_value)s</p>\n'
@@ -102,7 +107,7 @@ def pt_html(context=5, i18n=None):
 <table style="font-size: 80%%; color: gray">
  <tr><th class="header" align="left">%s</th></tr>
  <tr><td><pre>%s</pre></td></tr>
-</table>''' % (_('Full traceback:'), cgi.escape(''.join(
+</table>''' % (_('Full traceback:'), html_escape(''.join(
         traceback.format_exception(*sys.exc_info())
     ))))
     l.append('<p>&nbsp;</p>')

roundup/cgi/exceptions.py

@@ -4,7 +4,11 @@
 __docformat__ = 'restructuredtext'
 
 from roundup.exceptions import LoginError, Unauthorised
-import cgi
+
+try:
+    from html import escape as html_escape  # python 3
+except ImportError:
+    from cgi import escape as html_escape   # python 2 fallback
 
 class HTTPException(BaseException):
     pass
@@ -62,6 +66,6 @@ def __str__(self):
 <body class="body" marginwidth="0" marginheight="0">
  <p class="error-message">%s</p>
 </body></html>
-"""%cgi.escape(self.args[0])
+"""%html_escape(self.args[0])
 
 # vim: set filetype=python sts=4 sw=4 et si :

roundup/cgi/templating.py

@@ -25,6 +25,11 @@
 import textwrap
 import time, hashlib
 
+try:
+    from html import escape as html_escape  # python 3
+except ImportError:
+    from cgi import escape as html_escape   # python 2 fallback
+
 from roundup.anypy import urllib_
 from roundup import hyperdb, date, support
 from roundup import i18n
@@ -430,7 +435,7 @@ def _set_input_default_args(dic):
             pass
 
 def cgi_escape_attrs(**attrs):
-    return ' '.join(['%s="%s"'%(k,cgi.escape(str(v), True))
+    return ' '.join(['%s="%s"'%(k,html_escape(str(v), True))
         for k,v in sorted(attrs.items())])
 
 def input_html4(**attrs):
@@ -1044,7 +1049,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'),
                                     if labelprop is not None and \
                                             labelprop != 'id':
                                         label = linkcl.get(linkid, labelprop)
-                                        label = cgi.escape(label)
+                                        label = html_escape(label)
                                 except IndexError:
                                     comments['no_link'] = self._(
                                         "<strike>The linked node"
@@ -1069,7 +1074,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'),
                         # there's no labelprop!
                         if labelprop is not None and labelprop != 'id':
                             try:
-                                label = cgi.escape(linkcl.get(args[k],
+                                label = html_escape(linkcl.get(args[k],
                                     labelprop))
                             except IndexError:
                                 comments['no_link'] = self._(
@@ -1109,7 +1114,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'),
                             current[k] = val
 
                     elif isinstance(prop, hyperdb.String) and args[k]:
-                        val = cgi.escape(args[k])
+                        val = html_escape(args[k])
                         cell.append('%s: %s'%(self._(k), val))
                         if k in current and current[k] is not None:
                             cell[-1] += ' -> %s'%current[k]
@@ -1155,7 +1160,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$'),
             if dre.match(user):
                 user = self._db.user.get(user, 'username')
             l.append('<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>'%(
-                date_s, cgi.escape(user), self._(action), arg_s))
+                date_s, html_escape(user), self._(action), arg_s))
         if comments:
             l.append(self._(
                 '<tr><td colspan=4><strong>Note:</strong></td></tr>'))
@@ -1490,13 +1495,13 @@ def plain(self, escape=0, hyperlink=0):
         if self._value is None:
             return ''
         if escape:
-            s = cgi.escape(str(self._value))
+            s = html_escape(str(self._value))
         else:
             s = str(self._value)
         if hyperlink:
             # no, we *must* escape this text
             if not escape:
-                s = cgi.escape(s)
+                s = html_escape(s)
             s = self.hyper_re.sub(self._hyper_repl, s)
         return s
 
@@ -1520,11 +1525,11 @@ def wrapped(self, escape=1, hyperlink=1):
             return ''
         s = '\n'.join(textwrap.wrap(str(self._value), 80))
         if escape:
-            s = cgi.escape(s)
+            s = html_escape(s)
         if hyperlink:
             # no, we *must* escape this text
             if not escape:
-                s = cgi.escape(s)
+                s = html_escape(s)
             s = self.hyper_re.sub(self._hyper_repl, s)
         return s
 
@@ -1584,7 +1589,7 @@ def multiline(self, escape=0, rows=5, cols=40, **kwargs):
         if self._value is None:
             value = ''
         else:
-            value = cgi.escape(str(self._value))
+            value = html_escape(str(self._value))
 
             value = '&quot;'.join(value.split('"'))
         name = self._formname
@@ -1612,7 +1617,7 @@ def email(self, escape=1):
         else:
             value = value.replace('.', ' ')
         if escape:
-            value = cgi.escape(value)
+            value = html_escape(value)
         return value
 
 class PasswordHTMLProperty(HTMLProperty):
@@ -1629,7 +1634,7 @@ def plain(self, escape=0):
         except AttributeError:
             value = self._('[hidden]')
         if escape:
-            value = cgi.escape(value)
+            value = html_escape(value)
         return value
 
     def field(self, size=30, **kwargs):
@@ -2091,7 +2096,7 @@ def plain(self, escape=0):
         else :
             value = self._value
         if escape:
-            value = cgi.escape(value)
+            value = html_escape(value)
         return value
 
     def field(self, showid=0, size=None, **kwargs):
@@ -2243,7 +2248,7 @@ def menu(self, size=None, height=None, showid=0, additional=[], value=None,
             tr = str
             if translate:
                 tr = self._
-            lab = cgi.escape(tr(lab))
+            lab = html_escape(tr(lab))
             l.append('<option %svalue="%s">%s</option>'%(s, optionid, lab))
         l.append('</select>')
         return '\n'.join(l)
@@ -2342,7 +2347,7 @@ def plain(self, escape=0):
             labels.append(label)
         value = ', '.join(labels)
         if escape:
-            value = cgi.escape(value)
+            value = html_escape(value)
         return value
 
     def field(self, size=30, showid=0, **kwargs):
@@ -2479,7 +2484,7 @@ def menu(self, size=None, height=None, showid=0, additional=[],
             tr = str
             if translate:
                 tr = self._
-            lab = cgi.escape(tr(lab))
+            lab = html_escape(tr(lab))
             l.append('<option %svalue="%s">%s</option>'%(s, optionid,
                 lab))
         l.append('</select>')
@@ -3082,7 +3087,7 @@ def url_quote(self, url):
 
     def html_quote(self, html):
         """HTML-quote the supplied text."""
-        return cgi.escape(html)
+        return html_escape(html)
 
     def __getattr__(self, name):
         """Try the tracker's templating_utils."""

roundup/cgi/wsgi_handler.py

@@ -8,6 +8,11 @@
 import cgi
 import weakref
 
+try:
+    from html import escape as html_escape  # python 3
+except ImportError:
+    from cgi import escape as html_escape   # python 2 fallback
+
 import roundup.instance
 from roundup.cgi import TranslationService
 from roundup.anypy import http_
@@ -69,7 +74,7 @@ def __call__(self, environ, start_response):
             client.main()
         except roundup.cgi.client.NotFound:
             request.start_response([('Content-Type', 'text/html')], 404)
-            request.wfile.write(s2b('Not found: %s'%cgi.escape(client.path)))
+            request.wfile.write(s2b('Not found: %s'%html_escape(client.path)))
 
         # all body data has been written using wfile
         return []

roundup/scripts/roundup_server.py

@@ -36,7 +36,7 @@
 # --/
 
 
-import errno, cgi, getopt, io, os, socket, sys, traceback, time
+import errno, getopt, io, os, socket, sys, traceback, time
 
 try:
     # Python 3.
@@ -57,6 +57,11 @@
 except ImportError:
     SSL = None
 
+try:
+    from html import escape as html_escape  # python 3
+except ImportError:
+    from cgi import escape as html_escape   # python 2 fallback
+
 # python version check
 from roundup import configuration, version_check
 from roundup import __version__ as roundup_version
@@ -243,7 +248,7 @@ def run_cgi(self):
                         s = StringIO()
                         traceback.print_exc(None, s)
                         self.wfile.write(b"<pre>")
-                        self.wfile.write(s2b(cgi.escape(s.getvalue())))
+                        self.wfile.write(s2b(html_escape(s.getvalue())))
                         self.wfile.write(b"</pre>\n")
                 else:
                     # user feedback
@@ -289,7 +294,7 @@ def index(self):
             for tracker in keys:
                 w(s2b('<li><a href="%(tracker_url)s/index">%(tracker_name)s</a>\n'%{
                     'tracker_url': urllib_.quote(tracker),
-                    'tracker_name': cgi.escape(tracker)}))
+                    'tracker_name': html_escape(tracker)}))
             w(b'</ol></body></html>')
 
     def inner_run_cgi(self):