diff --git a/web/pgadmin/tools/backup/__init__.py b/web/pgadmin/tools/backup/__init__.py index 4cc9b1771..1b1fc7baa 100644 --- a/web/pgadmin/tools/backup/__init__.py +++ b/web/pgadmin/tools/backup/__init__.py @@ -9,7 +9,6 @@ """Implements Backup Utility""" -import cgi import json import os @@ -22,7 +21,7 @@ from config import PG_DEFAULT_DRIVER from pgadmin.misc.bgprocess.processes import BatchProcess, IProcessDesc from pgadmin.model import Server from pgadmin.utils.ajax import make_json_response, bad_request -from pgadmin.utils import PgAdminModule, get_storage_directory +from pgadmin.utils import PgAdminModule, get_storage_directory, html # set template path for sql scripts @@ -124,36 +123,36 @@ class BackupMessage(IProcessDesc): res = '
' if self.backup_type == BACKUP.OBJECT: - res += cgi.escape( + res += html.safe_str( _( "Backing up an object on the server - '{0}' on database '{1}'" ).format( "{0} ({1}:{2})".format(s.name, s.host, s.port), self.database ) - ).encode('ascii', 'xmlcharrefreplace') + ) if self.backup_type == BACKUP.GLOBALS: - res += cgi.escape( + res += html.safe_str( _("Backing up the globals for the server - '{0}'").format( "{0} ({1}:{2})".format(s.name, s.host, s.port) ) - ).encode('ascii', 'xmlcharrefreplace') + ) elif self.backup_type == BACKUP.SERVER: - res += cgi.escape( + res += html.safe_str( _("Backing up the server - '{0}'").format( "{0} ({1}:{2})".format(s.name, s.host, s.port) ) - ).encode('ascii', 'xmlcharrefreplace') + ) else: # It should never reach here. res += "Backup" res += '
' - res += cgi.escape( + res += html.safe_str( _("Running command:") - ).encode('ascii', 'xmlcharrefreplace') + ) res += '
' - res += cgi.escape(cmd).encode('ascii', 'xmlcharrefreplace') + res += html.safe_str(cmd) replace_next = False @@ -163,9 +162,7 @@ class BackupMessage(IProcessDesc): x = x.replace('"', '\\"') x = x.replace('""', '\\"') - return ' "' + cgi.escape(x).encode( - 'ascii', 'xmlcharrefreplace' - ) + '"' + return ' "' + html.safe_str(x) + '"' return '' @@ -173,9 +170,9 @@ class BackupMessage(IProcessDesc): if arg and len(arg) >= 2 and arg[:2] == '--': res += ' ' + arg elif replace_next: - res += ' "' + cgi.escape( + res += ' "' + html.safe_str( self.bfile - ).encode('ascii', 'xmlcharrefreplace') + '"' + ) + '"' else: if arg == '--file': replace_next = True diff --git a/web/pgadmin/tools/maintenance/__init__.py b/web/pgadmin/tools/maintenance/__init__.py index 023665791..151f242ff 100644 --- a/web/pgadmin/tools/maintenance/__init__.py +++ b/web/pgadmin/tools/maintenance/__init__.py @@ -9,7 +9,6 @@ """A blueprint module implementing the maintenance tool for vacuum""" -import cgi import json from flask import url_for, Response, render_template, request, current_app @@ -19,7 +18,7 @@ from flask.ext.security import login_required from config import PG_DEFAULT_DRIVER from pgadmin.misc.bgprocess.processes import BatchProcess, IProcessDesc from pgadmin.model import Server -from pgadmin.utils import PgAdminModule +from pgadmin.utils import PgAdminModule, html from pgadmin.utils.ajax import bad_request, make_json_response from pgadmin.utils.driver import get_driver @@ -119,16 +118,14 @@ class Message(IProcessDesc): if self.data['op'] == "CLUSTER": res = _('CLUSTER') - res = '
' + cgi.escape(res).encode( - 'ascii', 'xmlcharrefreplace' - ) + res = '
' + html.safe_str(res) res += '
' - res += cgi.escape( + res += html.safe_str( _("Running Query:") - ).encode('ascii', 'xmlcharrefreplace') + ) res += '
' - res += cgi.escape(self.query).encode('ascii', 'xmlcharrefreplace') + res += html.safe_str(self.query) res += '
' return res diff --git a/web/pgadmin/tools/restore/__init__.py b/web/pgadmin/tools/restore/__init__.py index 1ed58bdd8..987bd396b 100644 --- a/web/pgadmin/tools/restore/__init__.py +++ b/web/pgadmin/tools/restore/__init__.py @@ -9,7 +9,6 @@ """Implements Restore Utility""" -import cgi import json import os @@ -22,7 +21,7 @@ from config import PG_DEFAULT_DRIVER from pgadmin.model import Server from pgadmin.misc.bgprocess.processes import BatchProcess, IProcessDesc from pgadmin.utils.ajax import make_json_response, bad_request -from pgadmin.utils import PgAdminModule, get_storage_directory +from pgadmin.utils import PgAdminModule, get_storage_directory, html # set template path for sql scripts MODULE_NAME = 'restore' @@ -82,20 +81,20 @@ class RestoreMessage(IProcessDesc): res = '
' - res += cgi.escape( + res += html.safe_str( _( "Restoring the backup on the server - '{0}'" ).format( "{0} ({1}:{2})".format(s.name, s.host, s.port) ) - ).encode('ascii', 'xmlcharrefreplace') + ) res += '
' - res += cgi.escape( + res += html.safe_str( _("Running command:") - ).encode('ascii', 'xmlcharrefreplace') + ) res += '
' - res += cgi.escape(cmd).encode('ascii', 'xmlcharrefreplace') + res += html.safe_str(cmd) def cmdArg(x): if x: @@ -103,9 +102,7 @@ class RestoreMessage(IProcessDesc): x = x.replace('"', '\\"') x = x.replace('""', '\\"') - return ' "' + cgi.escape(x).encode( - 'ascii', 'xmlcharrefreplace' - ) + '"' + return ' "' + html.safe_str(x) + '"' return '' @@ -120,9 +117,7 @@ class RestoreMessage(IProcessDesc): idx += 1 if no_args > 1: - res += ' "' + cgi.escape(self.bfile).encode( - 'ascii', 'xmlcharrefreplace' - ) + '"' + res += ' "' + html.safe_str(self.bfile) + '"' res += '
' diff --git a/web/pgadmin/utils/html.py b/web/pgadmin/utils/html.py new file mode 100644 index 000000000..4b4370d3d --- /dev/null +++ b/web/pgadmin/utils/html.py @@ -0,0 +1,18 @@ +########################################################################## +# +# pgAdmin 4 - PostgreSQL Tools +# +# Copyright (C) 2013 - 2016, The pgAdmin Development Team +# This software is released under the PostgreSQL Licence +# +######################################################################### + +"""Utilities for HTML""" + +import cgi + + +def safe_str(x): + return cgi.escape(x).encode( + 'ascii', 'xmlcharrefreplace' + ).decode()