Better safe than sorry: escape all values when generating a plan summary
authorGu1 <gu1@cafai.fr>
Sun, 9 Jun 2013 01:59:19 +0000 (03:59 +0200)
committerGu1 <gu1@cafai.fr>
Sun, 9 Jun 2013 02:07:12 +0000 (04:07 +0200)
fdneligibility/forms.py
fdneligibility/views.py

index f49ed64..2bde956 100644 (file)
@@ -21,10 +21,12 @@ class EligibilityForm2(forms.Form):
     plans = forms.ChoiceField(label=_('Plans'), widget=forms.RadioSelect, error_messages={'required': _('Please choose a plan')})
 
     def format_plan(self, o):
+        args={'download': escape(o['download']), 'upload': escape(o['upload']), 'unbundling': escape(o['unbundling'])}
         if 'abo' in o and 'fas' in o:
-            plan=_(u"<strong>%(download)s</strong>/<strong>%(upload)s</strong>, %(unbundling)s %(abo)s€/month <small>(service access fee: %(fas)s€)</small>") % o
+            args.update({'abo': escape(o['abo']), 'fas': escape(o['fas'])})
+            plan=_(u"<strong>%(download)s</strong>/<strong>%(upload)s</strong>, %(unbundling)s %(abo)s€/month <small>(service access fee: %(fas)s€)</small>") % args
         else:
-            plan=_(u"<strong>%(download)s</strong>/<strong>%(upload)s</strong>, %(unbundling)s") % o
+            plan=_(u"<strong>%(download)s</strong>/<strong>%(upload)s</strong>, %(unbundling)s") % args
         return mark_safe(plan)
 
     def __init__(self, *args, **kwargs):
index af7d09b..aa7abec 100644 (file)
@@ -141,7 +141,7 @@ class EligibilityWizard(SessionWizardView):
                 'line_info': self.storage.extra_data['si_res']['info_ligne']
             })
         return context
-    
+
     def get_form_kwargs(self, step=None):
         kwargs=super(EligibilityWizard, self).get_form_kwargs(step)
         if step == '1':