You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2023/12/19 19:42:01 UTC
(allura) branch db/syntax_escaping created (now 919ab928c)
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a change to branch db/syntax_escaping
in repository https://gitbox.apache.org/repos/asf/allura.git
at 919ab928c improve JS syntax and escaping
This branch includes the following new commits:
new 919ab928c improve JS syntax and escaping
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
(allura) 01/01: improve JS syntax and escaping
Posted by br...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/syntax_escaping
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 919ab928c5907a24a97e308df261b6d0dc6f8293
Author: Dave Brondsema <db...@slashdotmedia.com>
AuthorDate: Tue Dec 19 14:06:20 2023 -0500
improve JS syntax and escaping
---
Allura/allura/ext/admin/templates/project_trove.html | 2 +-
Allura/allura/lib/widgets/forms.py | 7 ++-----
Allura/allura/lib/widgets/resources/js/post.js | 6 +++---
Allura/allura/public/nf/js/site_admin_new_projects.js | 2 +-
ForgeTracker/forgetracker/templates/tracker/ticket.html | 2 +-
ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js | 4 ++--
ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js | 2 +-
7 files changed, 11 insertions(+), 14 deletions(-)
diff --git a/Allura/allura/ext/admin/templates/project_trove.html b/Allura/allura/ext/admin/templates/project_trove.html
index e93aac4f5..0d1a9da78 100644
--- a/Allura/allura/ext/admin/templates/project_trove.html
+++ b/Allura/allura/ext/admin/templates/project_trove.html
@@ -130,7 +130,7 @@
insertAfter = this;
}
});
- var $newItem = $('<div><span class="trove_fullpath">'+resp.trove_full_path+'</span> <form class="trove_deleter"><input type="hidden" name="type" value="'+type+'"><input type="hidden" name="trove" value="'+new_id+'">'+del_btn+'</form></div>');
+ var $newItem = $('<div><span class="trove_fullpath">'+escape_html(resp.trove_full_path)+'</span> <form class="trove_deleter"><input type="hidden" name="type" value="'+escape_html(type)+'"><input type="hidden" name="trove" value="'+escape_html(new_id)+'">'+del_btn+'</form></div>');
if (insertAfter) {
$newItem.insertAfter(insertAfter);
} else {
diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py
index 0ac373b2d..5252819e1 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -16,7 +16,7 @@
# under the License.
import logging
-import warnings
+from html import escape as html_escape
from tg import app_globals as g, tmpl_context as c
from formencode import validators as fev
@@ -35,8 +35,6 @@ from allura.lib import plugin
from allura.lib.widgets import form_fields as ffw
from allura.lib import exceptions as forge_exc
from allura import model as M
-import six
-from functools import reduce
log = logging.getLogger(__name__)
@@ -104,8 +102,7 @@ class ForgeForm(ew.SimpleForm):
or ctx.get('label')
or getattr(field, 'label', None)
or ctx['name'])
- html = '<label for="{}">{}</label>'.format(
- ctx['id'], label_text)
+ html = '<label for="{}">{}</label>'.format(html_escape(ctx['id']), html_escape(label_text))
return Markup(html)
def context_for(self, field):
diff --git a/Allura/allura/lib/widgets/resources/js/post.js b/Allura/allura/lib/widgets/resources/js/post.js
index 6103944eb..d23c6af9c 100644
--- a/Allura/allura/lib/widgets/resources/js/post.js
+++ b/Allura/allura/lib/widgets/resources/js/post.js
@@ -76,8 +76,8 @@
} else if (data.username) {
flash('User blocked', 'success');
// full page form submit
- $('<form method="POST" action="' + $this.data('discussion-url')+'moderate/save_moderation_bulk_user?username=' + $this.attr('data-user') + '&spam=1">' +
- '<input name="_session_id" type="hidden" value="'+cval+'"></form>')
+ $('<form method="POST" action="' + escape_html($this.data('discussion-url'))+'moderate/save_moderation_bulk_user?username=' + escape_html($this.attr('data-user')) + '&spam=1">' +
+ '<input name="_session_id" type="hidden" value="'+escape_html(cval)+'"></form>')
.appendTo('body')
.submit();
} else {
@@ -162,4 +162,4 @@
});
}
});
-}());
\ No newline at end of file
+}());
diff --git a/Allura/allura/public/nf/js/site_admin_new_projects.js b/Allura/allura/public/nf/js/site_admin_new_projects.js
index 302f4f7ef..b2798a5aa 100644
--- a/Allura/allura/public/nf/js/site_admin_new_projects.js
+++ b/Allura/allura/public/nf/js/site_admin_new_projects.js
@@ -35,7 +35,7 @@ $(document).ready(function() {
$('.js-select-project').change(function() {
var shortname = $(this).attr('data-shortname');
if ($(this).is(':checked')) {
- $('#selected-projects').append(' ' + shortname);
+ $('#selected-projects').append(' ' + escape_html(shortname));
} else {
var shortnames = $('#selected-projects').text().split(' ');
for (var i = 0; i < shortnames.length; i++) {
diff --git a/ForgeTracker/forgetracker/templates/tracker/ticket.html b/ForgeTracker/forgetracker/templates/tracker/ticket.html
index 9136127f5..e17020bf7 100644
--- a/ForgeTracker/forgetracker/templates/tracker/ticket.html
+++ b/ForgeTracker/forgetracker/templates/tracker/ticket.html
@@ -228,7 +228,7 @@
view_holder.show();
discussion_holder.show();
ticket_content.show();
- title_holder.find('span').html(original_title_text)
+ title_holder.find('span').text(original_title_text);
title_actions.appendTo(title_holder);
title_actions.show();
vote.show();
diff --git a/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js b/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
index 35d91aa92..886f973ef 100644
--- a/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
+++ b/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js
@@ -19,10 +19,10 @@
$(function(){
$form = $('#update-values');
- if ($form.length == 0) {
+ if ($form.length === 0) {
$form = $('.editbox > form');
}
- if ($('#id_search').length == 0) {
+ if ($('#id_search').length === 0) {
$form.append('<input type="hidden" name="__search" id="id_search">');
}
$('#id_search').val(window.location.search);
diff --git a/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js b/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js
index 5c0a3f687..a11f858df 100644
--- a/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js
+++ b/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js
@@ -46,7 +46,7 @@
'&filter=' + encodeURIComponent(JSON.stringify(filter));
// preserve displayed columns, when filter changes
$('#col_list_form input').each(function() {
- if (this.name.indexOf('columns-') == 0) {
+ if (this.name.indexOf('columns-') === 0) {
var inp = $(this);
var val = inp.val();
if (inp.is(':checkbox') && !inp.is(':checked')) { val = ''; }