]> git.openstreetmap.org Git - osqa.git/blobdiff - forum/feed.py
Prevent XSS attacks with wmd using the google-caja html sanitizer.
[osqa.git] / forum / feed.py
index 02c309d364d67783f1c99ada4646efea9e6baded..60c2d3fe0ab3bf32a26d663e1039580f4dba7c0c 100644 (file)
@@ -1,3 +1,5 @@
+# -*- coding: utf-8 -*-
+
 try:
     from django.contrib.syndication.views import Feed, FeedDoesNotExist, add_domain
     old_version = False
@@ -6,6 +8,7 @@ except:
     old_version = True
 
 from django.http import HttpResponse
+from django.utils.encoding import smart_unicode
 from django.utils.translation import ugettext as _
 from django.utils.safestring import mark_safe
 from models import Question
@@ -23,33 +26,33 @@ class BaseNodeFeed(Feed):
         description_template = "feeds/rss_description.html"
 
     def __init__(self, request, title, description, url):
-        self._title = title
-        self._description = mark_safe(unicode(description))
+        self._title = u"%s" % smart_unicode(title)
+        self._description = mark_safe(u"%s" % smart_unicode(description))
         self._url = url
 
         if old_version:
             super(BaseNodeFeed, self).__init__('', request)
 
     def title(self):
-        return self._title
+        return u"%s" % smart_unicode(self._title)
 
     def link(self):
         return self._url
 
     def description(self):
-        return self._description
+        return u"%s" % smart_unicode(self._description)
 
     def item_title(self, item):
-        return item.title
+        return u"%s" % smart_unicode(item.title)
 
     def item_description(self, item):
-        return item.html
+        return u"%s" % smart_unicode(item.html)
 
     def item_link(self, item):
         return item.leaf.get_absolute_url()
 
     def item_author_name(self, item):
-        return item.author.username
+        return u"%s" % smart_unicode(item.author.username)
 
     def item_author_link(self, item):
         return item.author.get_profile_url()
@@ -67,7 +70,7 @@ class BaseNodeFeed(Feed):
 
 class RssQuestionFeed(BaseNodeFeed):
     def __init__(self, request, question_list, title, description):
-        url = request.path + "&" + generate_uri(request.GET, (_('page'), _('pagesize'), _('sort')))
+        url = request.path + "?" + generate_uri(request.GET, (_('page'), _('pagesize'), _('sort')))
         super(RssQuestionFeed, self).__init__(request, title, description, url)
 
         self._question_list = question_list
@@ -83,7 +86,11 @@ class RssAnswerFeed(BaseNodeFeed):
         title_template = "feeds/rss_answer_title.html"
 
     def __init__(self, request, question, include_comments=False):
-        super(RssAnswerFeed, self).__init__(request, _("Answers to: %s") % question.title, question.html, question.get_absolute_url())
+        super(RssAnswerFeed, self).__init__(
+            request, _("Answers to: %s") % smart_unicode(question.title),
+            question.html,
+            question.get_absolute_url()
+        )
         self._question = question
         self._include_comments = include_comments
 
@@ -97,12 +104,10 @@ class RssAnswerFeed(BaseNodeFeed):
 
     def item_title(self, item):
         if item.node_type == "answer":
-            return _("Answer by %s") % item.author.username
+            return _("Answer by %s") % smart_unicode(item.author.username)
         else:
             return _("Comment by %(cauthor)s on %(pauthor)s's %(qora)s") % dict(
-                cauthor=item.author.username, pauthor=item.parent.author.username, qora=(item.parent.node_type == "answer" and _("answer") or _("question"))
+                cauthor=smart_unicode(item.author.username),
+                pauthor=smart_unicode(item.parent.author.username),
+                qora=(item.parent.node_type == "answer" and _("answer") or _("question"))
             )
-
-
-
-