From d47c31a58748d6cfc52c893eaf39d5412cba1f84 Mon Sep 17 00:00:00 2001
From: Florent Le Coz <louiz@louiz.org>
Date: Thu, 5 Jul 2012 00:49:00 +0200
Subject: Properly quote the %(body)s and %(from)s used in the simple_notify
 plugin.

---
 plugins/simple_notify.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'plugins/simple_notify.py')

diff --git a/plugins/simple_notify.py b/plugins/simple_notify.py
index bc31c961..c2cbb198 100644
--- a/plugins/simple_notify.py
+++ b/plugins/simple_notify.py
@@ -1,6 +1,7 @@
 from plugin import BasePlugin
 from xhtml import clean_text, get_body_from_message_stanza
 from timed_events import DelayedEvent
+import pipes
 
 class Plugin(BasePlugin):
     def init(self):
@@ -28,9 +29,10 @@ class Plugin(BasePlugin):
         if not command:
             self.core.information('No notification command was provided in the configuration file', 'Warning')
             return
-        self.core.exec_command(command % {'body':body, 'from':fro})
+        self.core.exec_command(command % {'body':pipes.quote(body), 'from':pipes.quote(fro)})
         after_command = self.config.get('after_command', '').strip()
         if not after_command:
             return
-        delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':body, 'from':fro})
+        delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':pipes.quote(body), 'from':pipes.quote(fro)})
         self.core.add_timed_event(delayed_event)
+4
-- 
cgit v1.2.3