Merge pull request #324 from migeruhito/autoescape

Improved solution to #318
sagemath · Dec 2, 2015 · 73ab85c · 73ab85c
2 parents dbf6247 + c3d3c44
commit 73ab85c
Show file tree

Hide file tree

Showing 24 changed files with 78 additions and 59 deletions.
diff --git a/sagenb/data/sage/html/docs.html b/sagenb/data/sage/html/docs.html
@@ -35,9 +35,9 @@ <h2>{{ gettext('How to use the Sage Notebook') }}</h2>
     <table class="help_window">
 
         {% for x, y in notebook_help %}
-        <tr><td class="help_window_sub", colspan="2">{{ x }}</td></tr>
+        <tr><td class="help_window_sub", colspan="2">{{ x | safe }}</td></tr>
         {% for z, w in y %}
-        <tr><td class="help_window_cmd">{{ z }}</td><td class="help_window_how">{{ w }}</td></tr>
+        <tr><td class="help_window_cmd">{{ z | safe }}</td><td class="help_window_how">{{ w | safe }}</td></tr>
         {% endfor %}
         {% endfor %}
     </table>

diff --git a/sagenb/data/sage/html/error_message.html b/sagenb/data/sage/html/error_message.html
@@ -12,7 +12,7 @@
 
 {% block main %}
 <div>
-    {{ msg }}
+    {{ msg | safe }}
 </div>
 {% if cont %}
 <div style="padding: 1.0em; text-align: center;">

diff --git a/sagenb/data/sage/html/history.html b/sagenb/data/sage/html/history.html
@@ -9,7 +9,7 @@
 {% block page_id %}history-page{% endblock %}
 
 {% block body %}
-    <pre>{{ text | escape }}</pre>
+    <pre>{{ text }}</pre>
     <a title="{{ gettext('Click here to turn the above into a Sage worksheet') }}" href="/live_history">{{ gettext('Create a new Sage worksheet version of the last 100 commands in the above log.') }}</a>
     <a name="bottom"></a>
     <script type="text/javascript">

diff --git a/sagenb/data/sage/html/notebook/afterpublish_window.html b/sagenb/data/sage/html/notebook/afterpublish_window.html
@@ -5,7 +5,7 @@
 {% set checked = 'checked="true"' if worksheet.is_auto_publish() else '' %}
 
 {% block sharebar_title %}
-<p>{{ gettext('Worksheet is publicly viewable at <a href="%(u)s" style="color:#FFF" target="_blank">%(u)s', u=url) }}</a></p>
+<p>{{ gettext('Worksheet is publicly viewable at <a href="%(u)s" style="color:#FFF" target="_blank">%(u)s', u=url) | safe }}</a></p>
 <p>{{ gettext('Published on %(t)s', t=time) }}</p>
 <div>
     <a href="publish?re"><button>{{ gettext('Re-publish worksheet') }}</button></a>

diff --git a/sagenb/data/sage/html/notebook/base.html b/sagenb/data/sage/html/notebook/base.html
@@ -61,7 +61,7 @@
 {% if worksheet.filename() %}
 <script  type="text/javascript">
     worksheet_filename = "{{ worksheet.filename() }}";
-    worksheet_name = {{ worksheet.name()|repr_str }};
+    worksheet_name = {{ worksheet.name() | repr_str | safe }};
     {% if not worksheet.is_published() or worksheet.notebook().conf()['pub_interact'] %}
         server_ping_while_alive();
     {% endif %}
@@ -82,7 +82,7 @@ <h1>{{ gettext('Account is read only.  You may download or delete worksheets or
            title="{{ gettext('Click to rename this worksheet') }}">
             {{ worksheet.name() }}
         </a>
-        <div><span class="lastedit">{{ gettext('last edited') }} {{ worksheet.html_time_last_edited(username) }}</span></div>
+        <div><span class="lastedit">{{ gettext('last edited') }} {{ worksheet.html_time_last_edited(username) | safe }}</span></div>
         {% if worksheet.warn_about_other_person_editing(username) and username != 'guest' and not worksheet.docbrowser() and not worksheet.is_published() %}
         <span class="pingdown">({{ gettext('Someone else is viewing this worksheet') }})</span>
         {% endif %}

diff --git a/sagenb/data/sage/html/notebook/cell.html b/sagenb/data/sage/html/notebook/cell.html
@@ -79,7 +79,7 @@
                     </a>
                 {% endif %}
             {% elif do_print or publish %}
-                <div class="cell_input_print">{{ cell.input_text().rstrip()|escape }}&nbsp;</div>
+                <div class="cell_input_print">{{ cell.input_text().rstrip() }}&nbsp;</div>
             {% else %}
                 <textarea class="{{ input_cls }}" rows="{{ (1, cell.input_text().strip()|number_of_rows(80))|max }}"
                           cols="80" spellcheck="false"
@@ -104,28 +104,28 @@
             <table class="cell_output_box">
                 <tr>
                     <td class="cell_number" id="cell_number_{{ cell.id() }}"
-                        {{ '' if do_print else 'onClick="cycle_cell_output_type(%r);"'|format(cell.id()) }} >
+                        {{ '' if do_print else 'onClick=cycle_cell_output_type(%r);'|format(cell.id()) }} >
                         {% for i in range(7) %}&nbsp;{% endfor %}
                     </td>
                     <td class="output_cell">
                         <div class="{{ output_cls }}" id="cell_div_output_{{ cell.id() }}">
                             <div class="cell_output_{{ "print_" if do_print else '' }}{{ cell.cell_output_type() }}"
                                 id="cell_output_{{ cell.id() }}">
                                 {% if cell.introspect() %}
-                                    {{ cell.output_text(0, html=true) }}
+                                    {{ cell.output_text(0, html=true) | safe }}
                                 {% else %}
-                                    {{ cell.output_text(wrap_, html=true) }}
+                                    {{ cell.output_text(wrap_, html=true) | safe }}
                                 {% endif %}
                             </div>
                             {% if not do_print %}
                                 <div class="cell_output_{{ 'print_' if do_print else '' }}nowrap_{{ cell.cell_output_type() }}"
                                      id="cell_output_nowrap_{{ cell.id() }}">
-                                    {{ cell.output_text(0, html=true) }}
+                                    {{ cell.output_text(0, html=true) | safe }}
                                 </div>
                             {% endif %}
                                 <div class="cell_output_html_{{ cell.cell_output_type() }}"
                                      id="cell_output_html_{{ cell.id() }}">
-                                    {{ cell.output_html() }}
+                                    {{ cell.output_html() | safe }}
                                 </div>
                         </div>
                     </td>

diff --git a/sagenb/data/sage/html/notebook/download_or_delete_datafile.html b/sagenb/data/sage/html/notebook/download_or_delete_datafile.html
@@ -53,7 +53,7 @@
 <form method="post" action="savedatafile" enctype="multipart/form-data">
     <input type="submit" value="{{ gettext('Save Changes') }}" name="button_save" /> <input type="submit" value="{{ gettext('Cancel') }}" name="button_cancel" style="display:block" />
     <div style="border: 1px solid black; padding: 0px;">
-        <textarea class="edit" name="textfield" rows=20 cols=100 id="textfield" style="overflow: auto;">{{ text_file_content | escape }}</textarea>
+        <textarea class="edit" name="textfield" rows=20 cols=100 id="textfield" style="overflow: auto;">{{ text_file_content }}</textarea>
     </div>
     <script type="text/javascript">
     $(document).ready(function () {

diff --git a/sagenb/data/sage/html/notebook/edit_window.html b/sagenb/data/sage/html/notebook/edit_window.html
@@ -20,6 +20,6 @@
     function save_worksheet_and_close() {
     }
 </script>
-    <textarea class="plaintextedit" id="cell_intext" name="textfield" rows="{{ worksheet.edit_text().count("\n")+1 }}">{{ worksheet.edit_text()|escape }}</textarea>
+    <textarea class="plaintextedit" id="cell_intext" name="textfield" rows="{{ worksheet.edit_text().count("\n")+1 }}">{{ worksheet.edit_text() }}</textarea>
 </form>
 {% endblock %}
diff --git a/sagenb/data/sage/html/notebook/guest_worksheet_page.html b/sagenb/data/sage/html/notebook/guest_worksheet_page.html
@@ -60,8 +60,8 @@
 </ul>
 <hr class="usercontrol" />
 <h1 class="title">{{ worksheet.name() }}</h1>
-<h2 class="lastedit">{{ worksheet.html_time_since_last_edited() }}</h2>
-{{ worksheet.html(do_print=false, publish=true, username=username) }}
+<h2 class="lastedit">{{ worksheet.html_time_since_last_edited() | safe }}</h2>
+{{ worksheet.html(do_print=false, publish=true, username=username) | safe }}
 <script>
 {%- if conf['pub_interact'] %}
     cell_id_list = {{ worksheet.cell_id_list() }};

diff --git a/sagenb/data/sage/html/notebook/plain_text_window.html b/sagenb/data/sage/html/notebook/plain_text_window.html
@@ -7,5 +7,5 @@
 {% set select = "text" %}
 
 {% block after_sharebar %}
-<pre class="plaintext" id="cell_intext" name="textfield">{{ worksheet.plain_text(prompts=true, banner=false)|escape|trim }}</pre>
+<pre class="plaintext" id="cell_intext" name="textfield">{{ worksheet.plain_text(prompts=true, banner=false)|trim }}</pre>
 {% endblock %}
diff --git a/sagenb/data/sage/html/notebook/print_worksheet.html b/sagenb/data/sage/html/notebook/print_worksheet.html
@@ -4,7 +4,7 @@
 
 {% block body %}
 <h1>{{ worksheet.name() }}</h1>
-{{ worksheet.html(do_print=true) }}
+{{ worksheet.html(do_print=true) | safe }}
 <!--    <script>
         MathJax.Hub.Queue(["Typeset",MathJax.Hub]);
     </script>-->

diff --git a/sagenb/data/sage/html/notebook/specific_revision.html b/sagenb/data/sage/html/notebook/specific_revision.html
@@ -27,7 +27,7 @@
 {% block after_sharebar %}
 {{ actions() }}
 <div id="revision-data">
-    {{ worksheet.html(do_print=true, publish=true, username=username) }}
+    {{ worksheet.html(do_print=true, publish=true, username=username) | safe }}
 </div>
 {{ actions() }}
 <!--<script type="text/javascript">

diff --git a/sagenb/data/sage/html/notebook/text_cell.html b/sagenb/data/sage/html/notebook/text_cell.html
@@ -39,7 +39,7 @@
             </script>
     {% endif %}
     <div class="text_cell" id="cell_text_{{ cell.id() }}">
-      {{ cell.plain_text() }}
+      {{ cell.plain_text() | safe }}
     </div>
 {% if JEDITABLE_TINYMCE and not cell.worksheet().is_published() and not cell.worksheet().docbrowser() and not do_print and not publish %}
     <script type="text/javascript">
@@ -57,7 +57,7 @@
             cancel : "{{ gettext('Cancel changes') }}",
             event  : "dblclick",
             style  : "inherit",
-	    data   : {{ cell.plain_text()|repr_str }}
+	    data   : {{ cell.plain_text()|repr_str| safe }}
         });
     </script>
 {% endif %}

diff --git a/sagenb/data/sage/html/notebook/worksheet.html b/sagenb/data/sage/html/notebook/worksheet.html
@@ -13,6 +13,6 @@
 <div class="cell_input_active" id="cell_resizer"></div>
 <div class="worksheet_cell_list" id="worksheet_cell_list">
   {% for cell in worksheet.cell_list() %}
-    {{ cell.html(wrap = wrap, div_wrap = true, do_print = do_print, publish = publish) }}
+    {{ cell.html(wrap = wrap, div_wrap = true, do_print = do_print, publish = publish) | safe }}
   {% endfor %}
 </div>
diff --git a/sagenb/data/sage/html/notebook/worksheet_page.html b/sagenb/data/sage/html/notebook/worksheet_page.html
@@ -14,7 +14,7 @@
 {% block worksheet_main %}
 {% set toggle=true %}
 <div class="worksheet" id="worksheet">
-    {{ worksheet.html(username=username) }}
+    {{ worksheet.html(username=username) | safe }}
     <div class="insert_new_cell" id="insert_last_cell">
         <div class="ui-icon ui-icon-circle-plus wksht-icon_button" 
             id="insert_new_last_compute_cell" 

diff --git a/sagenb/data/sage/html/settings/notebook_settings.html b/sagenb/data/sage/html/settings/notebook_settings.html
@@ -20,7 +20,7 @@
       <a href="/"><button>{{ gettext('Cancel') }}</button></a>
   </div>
   {%- if auto_table %}
-  {{ auto_table }}
+  {{ auto_table | safe }}
   {%- endif %}
   <div class="buttons">
       <button type="submit">{{ gettext('Save') }}</button>

diff --git a/sagenb/data/sage/html/worksheet_listing.html b/sagenb/data/sage/html/worksheet_listing.html
@@ -30,7 +30,7 @@
 <script type="text/javascript" src="/javascript/jquery/plugins/form/jquery.form.min.js"></script>
 <script type="text/javascript" src="/javascript/jquery/plugins/jquery.bgiframe.min.js"></script>
 <script type="text/javascript">
-    var worksheet_filenames = {{ worksheet_filenames|tojson|safe }}; 
+    var worksheet_filenames = {{ worksheet_filenames|tojson| safe }}; 
 </script>
 <script type="text/javascript" src="/javascript/sage/js/notebook_lib.js"></script>
 <script type="text/javascript" src="/javascript/dynamic/notebook_dynamic.js"></script>
@@ -174,9 +174,9 @@ <h1>{{ gettext('Account is read only.  You may download or delete worksheets or
             </td>
 
             <td class="worksheet_link">
-                <a title="{{ worksheet.name() | escape }}" id="name-{{ name|css_escape }}" class="worksheetname" href="/home/{{ name }}/">
+                <a title="{{ worksheet.name() }}" id="name-{{ name|css_escape }}" class="worksheetname" href="/home/{{ name }}/">
                     {% if worksheet.compute_process_has_been_started() %}({{ gettext('running') }}){% endif %}
-                    {{ worksheet.truncated_name(50) | escape}}
+                    {{ worksheet.truncated_name(50) }}
                 </a>
 
                 {% if not pub and worksheet.is_published() %}(Published){% endif %}
@@ -222,7 +222,7 @@ <h1>{{ gettext('Account is read only.  You may download or delete worksheets or
                 {% endif %}
             </td>
             <td>
-                {{ worksheet.html_time_nice_edited(username) }}
+                {{ worksheet.html_time_nice_edited(username) | safe }}
             </td>
         </tr>
         {% endfor %}

diff --git a/sagenb/flask_version/base.py b/sagenb/flask_version/base.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 import os, time, re
 from functools import partial
-from flask import Flask, Module, url_for, render_template, request, session, redirect, g, make_response, current_app
+from flask import Flask, Module, url_for, request, session, redirect, g, make_response, current_app, render_template
 from decorators import login_required, guest_or_login_required, with_lock
 from decorators import global_lock
 # Make flask use the old session foo from <=flask-0.9
@@ -15,8 +15,11 @@
 SRC = os.path.join(SAGE_SRC, 'sage')
 from flask.ext.openid import OpenID
 from flask.ext.babel import Babel, gettext, ngettext, lazy_gettext, get_locale
-from sagenb.misc.misc import SAGENB_ROOT, DATA, SAGE_DOC, translations_path, N_, nN_
-
+from sagenb.misc.misc import SAGENB_ROOT, DATA, SAGE_DOC, translations_path, N_, nN_, unicode_str
+from json import dumps
+from sagenb.notebook.cell import number_of_rows
+from sagenb.notebook.template import (css_escape, clean_name,
+                                      prettify_time_ago, TEMPLATE_PATH)
 oid = OpenID()
 
 class SageNBFlask(Flask):
@@ -55,10 +58,17 @@ def __init__(self, *args, **kwds):
         self.add_static_path('/doc/static', DOC)
         #self.add_static_path('/doc/static/reference', os.path.join(SAGE_DOC, 'reference'))
 
-    def create_jinja_environment(self):
-        from sagenb.notebook.template import env
-        env.globals.update(url_for=url_for)
-        return env
+        # Template globals
+        self.add_template_global(url_for)
+        # Template filters
+        self.add_template_filter(css_escape)
+        self.add_template_filter(number_of_rows)
+        self.add_template_filter(clean_name)
+        self.add_template_filter(prettify_time_ago)
+        self.add_template_filter(max)
+        self.add_template_filter(lambda x: repr(unicode_str(x))[1:],
+                                 name='repr_str')
+        self.add_template_filter(dumps, 'tojson')
 
     def static_view_func(self, root_path, filename):
         from flask.helpers import send_from_directory
@@ -335,7 +345,6 @@ def set_profiles():
             return render_template('html/accounts/openid_profile.html', **parse_dict)
         return redirect(url_for('base.index'))
 
-
 #############
 # OLD STUFF #
 #############
@@ -411,7 +420,8 @@ def create_app(path_to_notebook, *args, **kwds):
     ##############
     # Create app #
     ##############
-    app = SageNBFlask('flask_version', startup_token=startup_token)
+    app = SageNBFlask('flask_version', startup_token=startup_token,
+                      template_folder=TEMPLATE_PATH)
     app.secret_key = os.urandom(24)
     oid.init_app(app)
     app.debug = True

diff --git a/sagenb/flask_version/worksheet.py b/sagenb/flask_version/worksheet.py
@@ -1,7 +1,7 @@
 import re
 import os, threading, collections
 from functools import wraps
-from flask import Module, make_response, url_for, render_template, request, session, redirect, g, current_app, escape
+from flask import Module, make_response, url_for, render_template, request, session, redirect, g, current_app
 from decorators import login_required, with_lock
 from collections import defaultdict
 from werkzeug.utils import secure_filename
@@ -920,7 +920,7 @@ def worksheet_rate(worksheet):
         return current_app.message(_("Gees -- You can't fool the rating system that easily!"),
                           url_for_worksheet(worksheet), username=g.username)
 
-    comment = str(escape(request.values['comment']))
+    comment = request.values['comment']
     worksheet.rate(rating, comment, g.username)
     s = _("""
     Thank you for rating the worksheet <b><i>%(worksheet_name)s</i></b>!

diff --git a/sagenb/notebook/cell.py b/sagenb/notebook/cell.py
@@ -551,7 +551,11 @@ def html(self, wrap=None, div_wrap=True, do_print=False,
 
         EXAMPLES::
 
-            sage: nb = sagenb.notebook.notebook.Notebook(tmp_dir(ext='.sagenb'))
+            sage: from sagenb.flask_version import base # random output -- depends on warnings issued by other sage packages
+            sage: app = base.create_app(tmp_dir(ext='.sagenb'))
+            sage: ctx = app.app_context()
+            sage: ctx.push()
+            sage: nb = base.notebook
             sage: nb.user_manager().add_user('sage','sage','sage@sagemath.org',force=True)
             sage: W = nb.create_new_worksheet('Test', 'sage')
             sage: C = sagenb.notebook.cell.TextCell(0, '2+3', W)

diff --git a/sagenb/notebook/challenge.py b/sagenb/notebook/challenge.py
@@ -448,10 +448,12 @@ def html(self, error_code = None, **kwargs):
 
         TESTS::
 
+            sage: from sagenb.flask_version import base # random output -- depends on warnings issued by other sage packages
+            sage: app = base.create_app(tmp_dir(ext='.sagenb'))
+            sage: ctx = app.app_context()
+            sage: ctx.push()
+            sage: nb = base.notebook
             sage: from sagenb.notebook.challenge import reCAPTCHAChallenge
-            sage: tmp = tmp_dir(ext='.sagenb')
-            sage: import sagenb.notebook.notebook as n
-            sage: nb = n.Notebook(tmp)
             sage: chal = reCAPTCHAChallenge(nb.conf(), remote_ip = 'localhost')
             sage: chal.html()
             u'...recaptcha...'

diff --git a/sagenb/notebook/notebook.py b/sagenb/notebook/notebook.py
@@ -1323,7 +1323,11 @@ def html_worksheet_revision_list(self, username, worksheet):
 
         EXAMPLES::
 
-            sage: nb = sagenb.notebook.notebook.Notebook(tmp_dir(ext='.sagenb'))
+            sage: from sagenb.flask_version import base # random output -- depends on warnings issued by other sage packages
+            sage: app = base.create_app(tmp_dir(ext='.sagenb'))
+            sage: ctx = app.app_context()
+            sage: ctx.push()
+            sage: nb = base.notebook
             sage: nb.create_default_users('password')
             sage: W = nb.create_new_worksheet('Test', 'admin')
             sage: W.body()