From f08ad8d560a587db2c6690b5702b3b5f0a4836de Mon Sep 17 00:00:00 2001
From: William McBrine <wmcbrine@gmail.com>
Date: Tue, 16 Feb 2010 00:20:47 -0500
Subject: [PATCH] XML escape TiVo names, plus show titles and descriptions in
 the ToGo page.

---
 httpserver.py                          | 2 +-
 plugins/togo/templates/npl.tmpl        | 8 ++++----
 plugins/togo/togo.py                   | 2 ++
 plugins/video/templates/container.tmpl | 4 ++--
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/httpserver.py b/httpserver.py
index 6f5b42c..fd6599c 100644
--- a/httpserver.py
+++ b/httpserver.py
@@ -262,7 +262,7 @@ class TivoHTTPHandler(BaseHTTPServer.BaseHTTPRequestHandler):
                         t.togo += ('<a href="/TiVoConnect?' +
                             'Command=NPL&amp;Container=' + quote(section) +  
                             '&amp;TiVo=' + config.tivos[tsn] + '">' + 
-                            config.tivo_names[tsn] + '</a><br>')
+                            escape(config.tivo_names[tsn]) + '</a><br>')
             elif plugin_type == 'video' and t.shares:
                 t.shares += ('<a href="TiVoConnect?Command=' +
                              'QueryContainer&amp;Container=' +
diff --git a/plugins/togo/templates/npl.tmpl b/plugins/togo/templates/npl.tmpl
index f830ce9..00747e3 100644
--- a/plugins/togo/templates/npl.tmpl
+++ b/plugins/togo/templates/npl.tmpl
@@ -14,7 +14,7 @@
         #set $tname = $tivo_names[$tsn]
     #end if
 #end for
-<p style="text-align: center"><span id="title">pyTivo - ToGo - $tname</span></p>
+<p style="text-align: center"><span id="title">pyTivo - ToGo - $escape($tname)</span></p>
 <table id="main" border="0" cellpadding="0" cellspacing="4">
     <tr>
       <td>
@@ -69,12 +69,12 @@
 				#end if
 				<td width="*">
                                         #if 'episodeTitle' in $row
-					<b>$row['title']: $row['episodeTitle']</b><br>
+					<b>$escape($row['title']): $escape($row['episodeTitle'])</b><br>
                                         #else
-					<b>$row['title']</b><br>
+					<b>$escape($row['title'])</b><br>
                                         #end if
 					<small>#if 'description' in $row
-                                        $row['description']
+                                        $escape($row['description'])
                                         #end if
                                         #if 'displayMajorNumber' in $row and 'callsign' in $row
 					$row['displayMajorNumber'] $row['callsign']
diff --git a/plugins/togo/togo.py b/plugins/togo/togo.py
index d528e6d..7e35906 100644
--- a/plugins/togo/togo.py
+++ b/plugins/togo/togo.py
@@ -7,6 +7,7 @@ import urllib2
 import urlparse
 from urllib import quote, unquote
 from xml.dom import minidom
+from xml.sax.saxutils import escape
 
 from Cheetah.Template import Template
 
@@ -157,6 +158,7 @@ class ToGo(Plugin):
 
         cname = query['Container'][0].split('/')[0]
         t = Template(NPL_TEMPLATE, filter=EncodeUnicode)
+        t.escape = escape
         t.quote = quote
         t.folder = folder
         t.status = status
diff --git a/plugins/video/templates/container.tmpl b/plugins/video/templates/container.tmpl
index 39defbb..1297adf 100644
--- a/plugins/video/templates/container.tmpl
+++ b/plugins/video/templates/container.tmpl
@@ -4,12 +4,12 @@
     <Tivos>
         #for $tivo in $tivo_names
             #if $tivo and $tivo in $tivos
-                <Tivo>$tivo_names[$tivo]</Tivo>
+                <Tivo>$escape($tivo_names[$tivo])</Tivo>
             #end if
         #end for
         #for $tivo in $tivo_names
             #if $tivo and not $tivo in $tivos
-                <Tivo>$tivo_names[$tivo]</Tivo>
+                <Tivo>escape($tivo_names[$tivo])</Tivo>
             #end if
         #end for
     </Tivos>
-- 
2.11.4.GIT