diff --git a/openslides/agenda/views.py b/openslides/agenda/views.py
index bba1582fc..652781b17 100644
--- a/openslides/agenda/views.py
+++ b/openslides/agenda/views.py
@@ -1,6 +1,7 @@
# -*- coding: utf-8 -*-
# TODO: Rename all views and template names
+from cgi import escape
from datetime import datetime, timedelta
from json import dumps
@@ -364,10 +365,10 @@ class AgendaPDF(PDFView):
if ancestors:
space = " " * 6 * ancestors.count()
story.append(Paragraph(
- "%s%s" % (space, item.get_title()),
+ "%s%s" % (space, escape(item.get_title())),
stylesheet['Subitem']))
else:
- story.append(Paragraph(item.get_title(), stylesheet['Item']))
+ story.append(Paragraph(escape(item.get_title()), stylesheet['Item']))
class SpeakerAppendView(SingleObjectMixin, RedirectView):
diff --git a/openslides/assignment/views.py b/openslides/assignment/views.py
index 4f0391f56..3696ff536 100644
--- a/openslides/assignment/views.py
+++ b/openslides/assignment/views.py
@@ -1,5 +1,7 @@
# -*- coding: utf-8 -*-
+from cgi import escape
+
from django.contrib import messages
from django.core.urlresolvers import reverse
from django.shortcuts import redirect
@@ -308,9 +310,9 @@ class AssignmentPDF(PDFView):
except KeyError:
assignment_id = None
if assignment_id is None: # print all assignments
- title = config["assignment_pdf_title"]
+ title = escape(config["assignment_pdf_title"])
story.append(Paragraph(title, stylesheet['Heading1']))
- preamble = config["assignment_pdf_preamble"]
+ preamble = escape(config["assignment_pdf_preamble"])
if preamble:
story.append(Paragraph(
"%s" % preamble.replace('\r\n', '
'),
@@ -324,7 +326,7 @@ class AssignmentPDF(PDFView):
# List of assignments
for assignment in assignments:
story.append(Paragraph(
- assignment.name, stylesheet['Heading3']))
+ escape(assignment.name), stylesheet['Heading3']))
# Assignment details (each assignment on single page)
for assignment in assignments:
story.append(PageBreak())
@@ -338,7 +340,7 @@ class AssignmentPDF(PDFView):
def get_assignment(self, assignment, story):
# title
story.append(Paragraph(
- _("Election: %s") % assignment.name, stylesheet['Heading1']))
+ _("Election: %s") % escape(assignment.name), stylesheet['Heading1']))
story.append(Spacer(0, 0.5 * cm))
# Filling table rows...
@@ -473,7 +475,7 @@ class AssignmentPDF(PDFView):
# election description
story.append(
- Paragraph("%s" % assignment.description.replace('\r\n', '
'),
+ Paragraph("%s" % escape(assignment.description).replace('\r\n', '
'),
stylesheet['Paragraph']))
diff --git a/openslides/motion/pdf.py b/openslides/motion/pdf.py
index 9858e2f3d..f89d2f274 100644
--- a/openslides/motion/pdf.py
+++ b/openslides/motion/pdf.py
@@ -1,5 +1,6 @@
# -*- coding: utf-8 -*-
+from cgi import escape
from operator import attrgetter
import random
@@ -38,7 +39,7 @@ def motion_to_pdf(pdf, motion):
identifier = ''
if motion.identifier:
identifier = ' %s' % motion.identifier
- pdf.append(Paragraph('%s%s: %s' % (_('Motion'), identifier, motion.title), stylesheet['Heading1']))
+ pdf.append(Paragraph('%s%s: %s' % (_('Motion'), identifier, escape(motion.title)), stylesheet['Heading1']))
motion_data = []
@@ -140,7 +141,7 @@ def motion_to_pdf(pdf, motion):
pdf.append(Spacer(0, 1 * cm))
# motion title
- pdf.append(Paragraph(motion.title, stylesheet['Heading3']))
+ pdf.append(Paragraph(escape(motion.title), stylesheet['Heading3']))
# motion text
convert_html_to_reportlab(pdf, motion.text)
@@ -232,9 +233,9 @@ def all_motion_cover(pdf, motions):
"""
Create a coverpage for all motions.
"""
- pdf.append(Paragraph(config["motion_pdf_title"], stylesheet['Heading1']))
+ pdf.append(Paragraph(escape(config["motion_pdf_title"]), stylesheet['Heading1']))
- preamble = config["motion_pdf_preamble"]
+ preamble = escape(config["motion_pdf_preamble"])
if preamble:
pdf.append(Paragraph("%s" % preamble.replace('\r\n', '
'), stylesheet['Paragraph']))
@@ -246,7 +247,7 @@ def all_motion_cover(pdf, motions):
categories = True
if i == 0:
pdf.append(Paragraph(_("Categories"), stylesheet['Heading2']))
- pdf.append(Paragraph("%s %s" % (category.prefix, category.name), stylesheet['Paragraph']))
+ pdf.append(Paragraph("%s %s" % (escape(category.prefix), escape(category.name)), stylesheet['Paragraph']))
if categories:
pdf.append(PageBreak())
@@ -258,7 +259,7 @@ def all_motion_cover(pdf, motions):
identifier = ''
if motion.identifier:
identifier = ' %s' % motion.identifier
- pdf.append(Paragraph('%s%s: %s' % (_('Motion'), identifier, motion.title), stylesheet['Heading3']))
+ pdf.append(Paragraph('%s%s: %s' % (_('Motion'), identifier, escape(motion.title)), stylesheet['Heading3']))
def motion_poll_to_pdf(pdf, poll):
diff --git a/openslides/participant/pdf.py b/openslides/participant/pdf.py
index 32deaedc8..29040cdea 100644
--- a/openslides/participant/pdf.py
+++ b/openslides/participant/pdf.py
@@ -1,5 +1,7 @@
# -*- coding: utf-8 -*-
+from cgi import escape
+
from django.utils.translation import ugettext as _
from reportlab.graphics.barcode.qr import QrCodeWidget
from reportlab.graphics.shapes import Drawing
@@ -30,13 +32,13 @@ def participants_to_pdf(pdf):
groups = ''
for group in user.groups.all():
if group.pk != 2:
- groups += "%s
" % unicode(_(group.name))
+ groups += "%s
" % escape(unicode(_(group.name)))
data.append([
counter,
Paragraph(user.title, stylesheet['Tablecell']),
- Paragraph(user.last_name, stylesheet['Tablecell']),
- Paragraph(user.first_name, stylesheet['Tablecell']),
- Paragraph(user.structure_level, stylesheet['Tablecell']),
+ Paragraph(escape(user.last_name), stylesheet['Tablecell']),
+ Paragraph(escape(user.first_name), stylesheet['Tablecell']),
+ Paragraph(escape(user.structure_level), stylesheet['Tablecell']),
Paragraph(groups, stylesheet['Tablecell'])])
t = LongTable(data, style=[
('VALIGN', (0, 0), (-1, -1), 'TOP'),
@@ -82,7 +84,7 @@ def participants_passwords_to_pdf(pdf):
qrcode_wlan_draw.add(qrcode_wlan)
for user in User.objects.all().order_by(sort):
- pdf.append(Paragraph(unicode(user), stylesheet['h1']))
+ pdf.append(Paragraph(escape(unicode(user)), stylesheet['h1']))
pdf.append(Spacer(0, 1 * cm))
data = []
# WLAN access data
@@ -91,15 +93,15 @@ def participants_passwords_to_pdf(pdf):
stylesheet['h2']))
cell.append(Paragraph("%s:" % _("WLAN name (SSID)"),
stylesheet['formfield']))
- cell.append(Paragraph(participant_pdf_wlan_ssid,
+ cell.append(Paragraph(escape(participant_pdf_wlan_ssid),
stylesheet['formfield_value']))
cell.append(Paragraph("%s:" % _("WLAN password"),
stylesheet['formfield']))
- cell.append(Paragraph(participant_pdf_wlan_password,
+ cell.append(Paragraph(escape(participant_pdf_wlan_password),
stylesheet['formfield_value']))
cell.append(Paragraph("%s:" % _("WLAN encryption"),
stylesheet['formfield']))
- cell.append(Paragraph(participant_pdf_wlan_encryption,
+ cell.append(Paragraph(escape(participant_pdf_wlan_encryption),
stylesheet['formfield_value']))
cell.append(Spacer(0, 0.5 * cm))
# OpenSlides access data
@@ -108,15 +110,15 @@ def participants_passwords_to_pdf(pdf):
stylesheet['h2']))
cell2.append(Paragraph("%s:" % _("Username"),
stylesheet['formfield']))
- cell2.append(Paragraph(user.username,
+ cell2.append(Paragraph(escape(user.username),
stylesheet['formfield_value']))
cell2.append(Paragraph("%s:" % _("Password"),
stylesheet['formfield']))
- cell2.append(Paragraph(user.default_password,
+ cell2.append(Paragraph(escape(user.default_password),
stylesheet['formfield_value']))
cell2.append(Paragraph("URL:",
stylesheet['formfield']))
- cell2.append(Paragraph(participant_pdf_url,
+ cell2.append(Paragraph(escape(participant_pdf_url),
stylesheet['formfield_value']))
data.append([cell, cell2])
# QRCodes
@@ -140,8 +142,8 @@ def participants_passwords_to_pdf(pdf):
pdf.append(Spacer(0, 2 * cm))
# welcome title and text
- pdf.append(Paragraph(participant_pdf_welcometitle, stylesheet['h2']))
- pdf.append(Paragraph(participant_pdf_welcometext.replace('\r\n', '
'),
+ pdf.append(Paragraph(escape(participant_pdf_welcometitle), stylesheet['h2']))
+ pdf.append(Paragraph(escape(participant_pdf_welcometext).replace('\r\n', '
'),
stylesheet['Paragraph12']))
pdf.append(PageBreak())
return pdf