diff --git a/last_commit.txt b/last_commit.txt index d19495b0a2..1e60885120 100644 --- a/last_commit.txt +++ b/last_commit.txt @@ -1,88 +1,286 @@ -Repository: plone.tiles +Repository: plone.app.users Branch: refs/heads/master -Date: 2016-09-12T10:37:57+03:00 -Author: Asko Soukka (datakurre) -Commit: https://github.com/plone/plone.tiles/commit/66e65618d4ffd5758317c90761fba98b5d4e0987 +Date: 2016-09-07T17:29:37+02:00 +Author: Maurits van Rees (mauritsvanrees) +Commit: https://github.com/plone/plone.app.users/commit/38284c22eb13a7416efa14eabe8aa0fe7ce84d43 -Preparing release 1.7.1 +Don't show unescaped user id in user-information form. + +This applies PloneHotfix20160830. Files changed: +A plone/app/users/tests/test_user_data_panel.py M CHANGES.rst -M setup.py +M plone/app/users/browser/userdatapanel.py diff --git a/CHANGES.rst b/CHANGES.rst -index 8e429cf..bcce100 100644 +index a793b31..045c6fd 100644 --- a/CHANGES.rst +++ b/CHANGES.rst -@@ -1,7 +1,7 @@ - Changelog - ========= +@@ -14,7 +14,8 @@ New features: + + Bug fixes: --1.7.1 (unreleased) -+1.7.1 (2016-09-12) - ------------------ +-- *add item here* ++- Don't show unescaped user id in user-information form. ++ This applies PloneHotfix20160830. [maurits] - - Fix issue where collective.cover was broken, because internal changes in -diff --git a/setup.py b/setup.py -index 5eef97f..a1382c5 100644 ---- a/setup.py -+++ b/setup.py -@@ -5,7 +5,7 @@ - import os + 2.3.7 (2016-08-18) +diff --git a/plone/app/users/browser/userdatapanel.py b/plone/app/users/browser/userdatapanel.py +index debc12d..f28a809 100644 +--- a/plone/app/users/browser/userdatapanel.py ++++ b/plone/app/users/browser/userdatapanel.py +@@ -15,6 +15,9 @@ + from ..schema import IUserDataSchema + from .schemaeditor import getFromBaseSchema --version = '1.7.1.dev0' -+version = '1.7.1' ++import cgi ++ ++ - setup( - name='plone.tiles', + class UserDataPanelAdapter(AccountPanelSchemaAdapter): + """One does not simply set portrait, email might be used to login with. +@@ -72,7 +75,7 @@ def description(self): + return _( + u'description_personal_information_form_otheruser', + default='Change personal information for $name', +- mapping={'name': userid} ++ mapping={'name': cgi.escape(userid)} + ) + else: + # editing my own profile +diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py +new file mode 100644 +index 0000000..7cbc9ba +--- /dev/null ++++ b/plone/app/users/tests/test_user_data_panel.py +@@ -0,0 +1,30 @@ ++from plone.app.users.browser.userdatapanel import UserDataPanel ++from plone.app.users.testing import PLONE_APP_USERS_FUNCTIONAL_TESTING ++from zope.i18n import translate ++ ++import unittest ++ ++ ++class TestUserDataPanel(unittest.TestCase): ++ ++ layer = PLONE_APP_USERS_FUNCTIONAL_TESTING ++ ++ def test_regression(self): ++ portal = self.layer['portal'] ++ request = self.layer['request'] ++ request.form.update({ ++ 'userid': 'admin' ++ }) ++ form = UserDataPanel(portal, request) ++ description = translate(form.description, context=request) ++ self.assertTrue('admin' in description) ++ ++ def test_escape_html(self): ++ portal = self.layer['portal'] ++ request = self.layer['request'] ++ request.form.update({ ++ 'userid': 'admin' ++ }) ++ form = UserDataPanel(portal, request) ++ description = translate(form.description, context=request) ++ self.assertTrue('' ++ }) ++ form = UserDataPanel(portal, request) ++ description = translate(form.description, context=request) ++ self.assertTrue('