Fix #51: escape config variables in HTML templates.

2025-02-25 18:55:22 -06:00 · 2008-11-23 12:39:21 +01:00 · 2008-11-23 12:39:21 +01:00 · 43cc7122c2
commit 43cc7122c2
parent 50d15d947d
6 changed files with 19 additions and 19 deletions
--- a/sphinx/templates/changes/frameset.html
+++ b/sphinx/templates/changes/frameset.html
@ -2,7 +2,7 @@
  "http://www.w3.org/TR/html4/frameset.dtd">
 <html>
  <head>
-    <title>{% trans version=version, docstitle=docstitle %}Changes in Version {{ version }} &mdash; {{ docstitle }}{% endtrans %}</title>
+    <title>{% trans version=version|e, docstitle=docstitle|e %}Changes in Version {{ version }} &mdash; {{ docstitle }}{% endtrans %}</title>
  </head>
  <frameset cols="45%,*">
    <frame name="main" src="changes.html">
--- a/sphinx/templates/changes/rstsource.html
+++ b/sphinx/templates/changes/rstsource.html
@ -2,7 +2,7 @@
  "http://www.w3.org/TR/html4/loose.dtd">
 <html>
  <head>
-    <title>{% trans filename=filename, docstitle=docstitle %}{{ filename }} &mdash; {{ docstitle }}{% endtrans %}</title>
+    <title>{% trans filename=filename, docstitle=docstitle|e %}{{ filename }} &mdash; {{ docstitle }}{% endtrans %}</title>
    <style type="text/css">
      .hl { background-color: yellow }
    </style>
--- a/sphinx/templates/changes/versionchanges.html
+++ b/sphinx/templates/changes/versionchanges.html
@ -9,12 +9,12 @@
  <head>
    <link rel="stylesheet" href="default.css">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-    <title>{% trans version=version, docstitle=docstitle %}Changes in Version {{ version }} &mdash; {{ docstitle }}{% endtrans %}</title>
+    <title>{% trans version=version|e, docstitle=docstitle|e %}Changes in Version {{ version }} &mdash; {{ docstitle }}{% endtrans %}</title>
  </head>
  <body>
    <div class="document">
      <div class="body">
-    <h1>{% trans version=version %}Automatically generated list of changes in version {{ version }}{% endtrans %}</h1>
+    <h1>{% trans version=version|e %}Automatically generated list of changes in version {{ version }}{% endtrans %}</h1>
    <h2>{{ _('Library changes') }}</h2>
    {% for modname, changes in libchanges %}
    <h4>{{ modname }}</h4>
--- a/sphinx/templates/defindex.html
+++ b/sphinx/templates/defindex.html
@ -1,11 +1,11 @@
 {% extends "layout.html" %}
 {% set title = _('Overview') %}
 {% block body %}
-  <h1>{{ docstitle }}</h1>
+  <h1>{{ docstitle|e }}</h1>
  <p>
    Welcome! This is
-    {% block description %}the documentation for {{ project }}
-    {{ release }}{% if last_updated %}, last updated {{ last_updated }}{% endif %}{% endblock %}.
+    {% block description %}the documentation for {{ project|e }}
+    {{ release|e }}{% if last_updated %}, last updated {{ last_updated|e }}{% endif %}{% endblock %}.
  </p>
  {% block tables %}
  <p><strong>{{ _('Indices and tables:') }}</strong></p>
--- a/sphinx/templates/layout.html
+++ b/sphinx/templates/layout.html
@ -15,7 +15,7 @@
          {%- if not loop.first %}{{ reldelim2 }}{% endif %}</li>
        {%- endfor %}
        {%- block rootrellink %}
-        <li><a href="{{ pathto(master_doc) }}">{{ shorttitle }}</a>{{ reldelim1 }}</li>
+        <li><a href="{{ pathto(master_doc) }}">{{ shorttitle|e }}</a>{{ reldelim1 }}</li>
        {%- endblock %}
        {%- for parent in parents %}
          <li><a href="{{ parent.link|e }}" accesskey="U">{{ parent.title }}</a>{{ reldelim1 }}</li>
@ -89,7 +89,7 @@
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    {{ metatags }}
    {%- if builder != 'htmlhelp' %}
-      {%- set titlesuffix = " &mdash; " + docstitle %}
+      {%- set titlesuffix = " &mdash; " + docstitle|e %}
    {%- endif %}
    <title>{{ title|striptags }}{{ titlesuffix }}</title>
    {%- if builder == 'web' %}
@ -106,7 +106,7 @@
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
          URL_ROOT:    '{{ pathto("", 1) }}',
-          VERSION:     '{{ release }}',
+          VERSION:     '{{ release|e }}',
          COLLAPSE_MODINDEX: false,
          FILE_SUFFIX: '{{ file_suffix }}'
      };
@ -116,7 +116,7 @@
    {%- endfor %}
    {%- if use_opensearch %}
    <link rel="search" type="application/opensearchdescription+xml"
-          title="{% trans docstitle=docstitle%}Search within {{ docstitle }}{% endtrans %}"
+          title="{% trans docstitle=docstitle|e %}Search within {{ docstitle }}{% endtrans %}"
          href="{{ pathto('_static/opensearch.xml', 1) }}"/>
    {%- endif %}
    {%- if favicon %}
@ -132,7 +132,7 @@
    {%- if hasdoc('copyright') %}
    <link rel="copyright" title="{{ _('Copyright') }}" href="{{ pathto('copyright') }}" />
    {%- endif %}
-    <link rel="top" title="{{ docstitle }}" href="{{ pathto('index') }}" />
+    <link rel="top" title="{{ docstitle|e }}" href="{{ pathto('index') }}" />
    {%- if parents %}
    <link rel="up" title="{{ parents[-1].title|striptags }}" href="{{ parents[-1].link|e }}" />
    {%- endif %}
@ -175,15 +175,15 @@
 {%- block footer %}
    <div class="footer">
    {%- if hasdoc('copyright') %}
-      {% trans path=pathto('copyright'), copyright=copyright %}&copy; <a href="{{ path }}">Copyright</a> {{ copyright }}.{% endtrans %}
+      {% trans path=pathto('copyright'), copyright=copyright|e %}&copy; <a href="{{ path }}">Copyright</a> {{ copyright }}.{% endtrans %}
    {%- else %}
-      {% trans copyright=copyright %}&copy; Copyright {{ copyright }}.{% endtrans %}
+      {% trans copyright=copyright|e %}&copy; Copyright {{ copyright }}.{% endtrans %}
    {%- endif %}
    {%- if last_updated %}
-      {% trans last_updated %}Last updated on {{ last_updated }}.{% endtrans %}
+      {% trans last_updated=last_updated|e %}Last updated on {{ last_updated }}.{% endtrans %}
    {%- endif %}
    {%- if show_sphinx %}
-      {% trans sphinx_version=sphinx_version %}Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> {{ sphinx_version }}.{% endtrans %}
+      {% trans sphinx_version=sphinx_version|e %}Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> {{ sphinx_version }}.{% endtrans %}
    {%- endif %}
    </div>
 {%- endblock %}
--- a/sphinx/templates/opensearch.xml
+++ b/sphinx/templates/opensearch.xml
@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">
-  <ShortName>{{ project }}</ShortName>
-  <Description>{% trans docstitle=docstitle %}Search {{ docstitle }}{% endtrans %}</Description>
+  <ShortName>{{ project|e }}</ShortName>
+  <Description>{% trans docstitle=docstitle|e %}Search {{ docstitle }}{% endtrans %}</Description>
  <InputEncoding>utf-8</InputEncoding>
  <Url type="text/html" method="get"
       template="{{ use_opensearch }}/{{ pathto('search') }}?q={searchTerms}&amp;check_keywords=yes&amp;area=default"/>
-  <LongName>{{ docstitle }}</LongName>
+  <LongName>{{ docstitle|e }}</LongName>
 {% block extra %} {# Put e.g. an <Image> element here. #} {% endblock %}
 </OpenSearchDescription>