X-Git-Url: https://git.distorted.org.uk/~mdw/chopwood/blobdiff_plain/623103dbef4dee3aff676cdc699fb7c1aaadcfd6..ea0eda5a7760ecd64663def89e55111e0d76ae3d:/cgi.py diff --git a/cgi.py b/cgi.py index 05c6c9e..0ecdfe2 100644 --- a/cgi.py +++ b/cgi.py @@ -59,7 +59,7 @@ CONF.DEFAULTS.update( ## Some handy regular expressions. R_URLESC = RX.compile('%([0-9a-fA-F]{2})') R_URLBAD = RX.compile('[^-\\w,.!]') -R_HTMLBAD = RX.compile('[&<>]') +R_HTMLBAD = RX.compile('[&<>\'"]') def urldecode(s): """Decode a single form-url-encoded string S.""" @@ -77,17 +77,18 @@ def htmlescape(s): ## Some standard character sequences, and HTML entity names for prettier ## versions. -_quotify = U.StringSubst({ +html_quotify = U.StringSubst({ + "<": '<', + ">": '>', + "&": '&', "`": '‘', "'": '’', + '"': '"', "``": '“', "''": '”', "--": '–', "---": '—' }) -def html_quotify(s): - """Return a pretty HTML version of S.""" - return _quotify(htmlescape(s)) ###-------------------------------------------------------------------------- ### Output machinery. @@ -196,7 +197,8 @@ def set_template_keywords(): package = PACKAGE, version = VERSION, script = CFG.SCRIPT_NAME, - static = CFG.STATIC) + static = CFG.STATIC, + allowop = CFG.ALLOWOP) class TemplateFinder (object): """ @@ -211,7 +213,7 @@ class TemplateFinder (object): with open(OS.path.join(me._dir, key)) as f: tmpl = f.read() me._cache[key] = tmpl return tmpl -TMPL = TemplateFinder(TMPLDIR) +STATE.kw['TMPL'] = TMPL = TemplateFinder(TMPLDIR) @CTX.contextmanager def tmplkw(**kw): @@ -229,13 +231,36 @@ class FormatHTML (F.SimpleFormatOperation): """ ~H: escape output suitable for inclusion in HTML. - With `:', instead apply form-urlencoding. + With `:', additionally apply quotification. """ def _convert(me, arg): if me.colonp: return html_quotify(arg) else: return htmlescape(arg) FORMATOPS['H'] = FormatHTML +class FormatWrap (F.BaseFormatOperation): + """ + ~<...~@>: wrap enclosed material in another formatting control string. + + The argument is a formatting control. The enclosed material is split into + pieces separated by `~;' markers. The formatting control is performed, and + passed the list of pieces (as compiled formatting operations) in the + keyword argument `wrapped'. + """ + def __init__(me, *args): + super(FormatWrap, me).__init__(*args) + pieces = [] + while True: + piece, delim = F.collect_subformat('>;') + pieces.append(piece) + if delim.char == '>': break + me.pieces = pieces + def _format(me, atp, colonp): + op = F.compile(me.getarg.get()) + with F.FORMAT.bind(argmap = dict(F.FORMAT.argmap, wrapped = me.pieces)): + op.format() +FORMATOPS['<'] = FormatWrap + def format_tmpl(control, **kw): with F.COMPILE.bind(opmaps = [FORMATOPS, F.BASEOPS]): with tmplkw(**kw): @@ -291,6 +316,7 @@ SPECIAL = {} PARAM = [] PARAMDICT = {} PATH = [] +SSLP = False ## Regular expressions for splitting apart query and cookie strings. R_QSPLIT = RX.compile('[;&]') @@ -346,8 +372,13 @@ def cgiparse(): `PATH' The trailing `PATH_INFO' path, split at `/' markers, with any trailing empty component removed. + + `SSLP' + True if the client connection is carried over SSL or TLS. """ + global SSLP + def getenv(var): try: return ENV[var] except KeyError: raise U.ExpectedError, (500, "No `%s' supplied" % var) @@ -402,6 +433,10 @@ def cgiparse(): if pp and not pp[-1]: pp.pop() PATH[:] = pp + ## Check the crypto for the connection. + if ENV.get('SSL_PROTOCOL'): + SSLP = True + ###-------------------------------------------------------------------------- ### CGI subcommands.