Files
@ 7aff9a999536
Branch filter:
Location: kallithea/scripts/dbmigrate-test
7aff9a999536
3.5 KiB
text/plain
templates, controllers: replace webhelpers.html.literal() with webhelpers.html.HTML() where possible
Usage of webhelpers.literal (h.literal) can be a problem when variables are
not correctly escaped. Luckily, this function can be avoided in several
cases.
Several users of the construct:
h.literal(_('..A..') % (..B..))
can be simplified if (..B..) just contains a call to h.link_to. In this
case, there is actually no need to use h.literal, because the object
returned by link_to is already a literal. It is sufficient to use
webhelpers.html.HTML() like so:
h.HTML(_('..A..')) % (..B..)
which is better because it will escape the '..A..' part instead of passing
it literally.
The need to wrap the '..A..' part in HTML() is to make sure the (escaped)
end result is not a plain string but a 'literal' to avoid double escaping
later.
See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html
"
When literal is used in a mixed expression containing both literals and
ordinary strings, it tries hard to escape the strings and return a
literal. However, this depends on which value has “control” of the
expression. literal seems to be able to take control with all
combinations of the + operator, but with % and join it must be on the
left side of the expression. So these all work:
"A" + literal("B")
literal(", ").join(["A", literal("B")])
literal("%s %s") % (16, literal("kg"))
But these return an ordinary string which is prone to double-escaping later:
"\n".join([literal('<span class="foo">Foo!</span>'), literal('Bar!')])
"%s %s" % (literal("16"), literal("<em>kg</em>"))
"
This same escaping with 'HTML()' was already done by default in mako
templates for constructs like ${_("something")} that do not contain format
specifiers. When the translated string _does_ contain format specifiers, we
want to use the same escaping, but we have to do it explicit and earlier so
the escaping happens already when strings are inserted into the template
string.
Usage of webhelpers.literal (h.literal) can be a problem when variables are
not correctly escaped. Luckily, this function can be avoided in several
cases.
Several users of the construct:
h.literal(_('..A..') % (..B..))
can be simplified if (..B..) just contains a call to h.link_to. In this
case, there is actually no need to use h.literal, because the object
returned by link_to is already a literal. It is sufficient to use
webhelpers.html.HTML() like so:
h.HTML(_('..A..')) % (..B..)
which is better because it will escape the '..A..' part instead of passing
it literally.
The need to wrap the '..A..' part in HTML() is to make sure the (escaped)
end result is not a plain string but a 'literal' to avoid double escaping
later.
See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html
"
When literal is used in a mixed expression containing both literals and
ordinary strings, it tries hard to escape the strings and return a
literal. However, this depends on which value has “control” of the
expression. literal seems to be able to take control with all
combinations of the + operator, but with % and join it must be on the
left side of the expression. So these all work:
"A" + literal("B")
literal(", ").join(["A", literal("B")])
literal("%s %s") % (16, literal("kg"))
But these return an ordinary string which is prone to double-escaping later:
"\n".join([literal('<span class="foo">Foo!</span>'), literal('Bar!')])
"%s %s" % (literal("16"), literal("<em>kg</em>"))
"
This same escaping with 'HTML()' was already done by default in mako
templates for constructs like ${_("something")} that do not contain format
specifiers. When the translated string _does_ contain format specifiers, we
want to use the same escaping, but we have to do it explicit and earlier so
the escaping happens already when strings are inserted into the template
string.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 | #!/bin/sh -e
if [ $# -lt 2 ] || [ $# -gt 3 ]; then
cat >&2 <<EOD
usage: $0 CONFIG_FILE FROM_REV [TO_REV]
Runs a database migration from FROM_REV to TO_REV (default: current
working directory parent), using the specified CONFIG_FILE (.ini file).
Test is run using a clean Kallithea install, in a temporary virtual
environment. FROM_REV and (optional) TO_REV should be Mercurial revision
identifiers (e.g. changeset hash or a version number tag). The working
directory is not touched, but the database referenced in the config file
will be (re)created.
Only SQLite is available out of the box; for MySQL or PostgreSQL, set
the EXTRA environment variable to the required package(s), and it'll
be installed in the virtual environment. (E.g. EXTRA=MySQL-python or
EXTRA=psycopg2.)
The temporary directory is not removed, allowing follow-up examination
of the upgrade results. It is, however, created in /tmp by default,
which many Linux distributions automatically clean at regular intervals.
EOD
exit 1
fi
config_file=$(readlink -f "$1")
from_rev=$2
to_rev=$3
source_repo=$(dirname "$(dirname "$(readlink -f "$0")")")
announce() {
echo
echo "$1"
echo
}
quiet_if_ok() (
local output
local st
set +e
output=$("$@" < /dev/null 2>&1)
st=$?
if [ $st -ne 0 ]; then
echo "$output" >&2
echo "Command $@ returned exit status $st." >&2
exit 1
fi
)
HG() {
"${HG:-hg}" --repository "$source_repo" "$@"
}
# If upgrading to "current revision", warn if working directory is dirty.
if [ ! "$to_rev" ] && [ "$(HG status -mard)" ]; then
announce "Warning: Uncommitted changes in working directory will be ignored!"
fi
from_rev_hash=$(HG id --id --rev "${from_rev:-.}")
to_rev_hash=$(HG id --id --rev "${to_rev:-.}")
temp=$(readlink -f "$(mktemp --tmpdir -d 'dbmigrate-test.XXXXXX')")
cat <<EOD
Config file: $config_file
EOD
sed -n -e 's/^sqlalchemy\.url *= */Database URL: /p' "$config_file"
cat <<EOD
Working dir: $temp
Repository: $source_repo
Upgrade from: $from_rev_hash (${from_rev:-current})
Upgrade to: $to_rev_hash (${to_rev:-current})
Extra packages: ${EXTRA:-(none)}
EOD
mkdir "$temp/repos" # empty
# Enable caching for old pip versions (this will cache the pip upgrade)
# Newer pip versions cache automatically, and don't use this variable.
if [ ! "$PIP_DOWNLOAD_CACHE" ]; then
export PIP_DOWNLOAD_CACHE=$HOME/.cache/pip/legacy
fi
install_kallithea() {
local prefix=$1
local rev=$2
announce "Installing Kallithea $rev in $prefix..."
"${VIRTUALENV:-virtualenv}" --quiet "$prefix-env"
HG archive --rev "$rev" "$prefix"
(
cd "$prefix"
. "$prefix-env/bin/activate"
pip install --quiet --upgrade pip setuptools mercurial $EXTRA
pip install --quiet -e .
)
}
install_kallithea "$temp/from" "$from_rev_hash"
(
cd "$temp/from"
. "$temp/from-env/bin/activate"
announce "Initializing database..."
quiet_if_ok kallithea-cli db-create -c "$config_file" --repos="$temp/repos" --user=doe --email=doe@example.com --password=123456 --no-public-access --force-yes
alembic -c "$config_file" current -v
)
install_kallithea "$temp/to" "$to_rev_hash"
(
cd "$temp/to"
. "$temp/to-env/bin/activate"
announce "Commencing database upgrade from shown Alembic revision to head..."
alembic -c "$config_file" current -v
alembic -c "$config_file" upgrade head
announce "Upgrade complete, now at the shown Alembic revision:"
alembic -c "$config_file" current -v
)
|