From 314e91e3281642451f2355b4480d3df132352654 Mon Sep 17 00:00:00 2001 From: Holger Frey Date: Mon, 7 May 2018 17:42:54 +0200 Subject: [PATCH] Plugin is now escaping input values correctly --- YouTubeVideo.py | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/YouTubeVideo.py b/YouTubeVideo.py index d5923c2..bf2aa6a 100644 --- a/YouTubeVideo.py +++ b/YouTubeVideo.py @@ -29,12 +29,23 @@ def macro_YouTubeVideo(macro, video_id=None, width=None, height=None): # no video id given return macro.formatter.rawHTML(u'') + video_id = wikiutil.escape(str(video_id)) + + if width is None: + width_attrib = '' + else: + escaped = wikiutil.escape(str(width)) + width_attrib = 'width="%s"' % escaped + + if height is None: + height_attrib = '' + else: + escaped = wikiutil.escape(str(height)) + height_attrib = 'height="%s"' % escaped - width = '' if width is None else 'width="%s"' % str(width) - height = '' if height is None else 'height="%s"' % str(height) tmp = (u'' ) - html = tmp % (video_id, width, height) + html = tmp % (video_id, width_attrib, height_attrib) return macro.formatter.rawHTML(html)