This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch db/syntax_escaping in repository https://gitbox.apache.org/repos/asf/allura.git
commit 919ab928c5907a24a97e308df261b6d0dc6f8293 Author: Dave Brondsema <dbronds...@slashdotmedia.com> AuthorDate: Tue Dec 19 14:06:20 2023 -0500 improve JS syntax and escaping --- Allura/allura/ext/admin/templates/project_trove.html | 2 +- Allura/allura/lib/widgets/forms.py | 7 ++----- Allura/allura/lib/widgets/resources/js/post.js | 6 +++--- Allura/allura/public/nf/js/site_admin_new_projects.js | 2 +- ForgeTracker/forgetracker/templates/tracker/ticket.html | 2 +- ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js | 4 ++-- ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js | 2 +- 7 files changed, 11 insertions(+), 14 deletions(-) diff --git a/Allura/allura/ext/admin/templates/project_trove.html b/Allura/allura/ext/admin/templates/project_trove.html index e93aac4f5..0d1a9da78 100644 --- a/Allura/allura/ext/admin/templates/project_trove.html +++ b/Allura/allura/ext/admin/templates/project_trove.html @@ -130,7 +130,7 @@ insertAfter = this; } }); - var $newItem = $('<div><span class="trove_fullpath">'+resp.trove_full_path+'</span> <form class="trove_deleter"><input type="hidden" name="type" value="'+type+'"><input type="hidden" name="trove" value="'+new_id+'">'+del_btn+'</form></div>'); + var $newItem = $('<div><span class="trove_fullpath">'+escape_html(resp.trove_full_path)+'</span> <form class="trove_deleter"><input type="hidden" name="type" value="'+escape_html(type)+'"><input type="hidden" name="trove" value="'+escape_html(new_id)+'">'+del_btn+'</form></div>'); if (insertAfter) { $newItem.insertAfter(insertAfter); } else { diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py index 0ac373b2d..5252819e1 100644 --- a/Allura/allura/lib/widgets/forms.py +++ b/Allura/allura/lib/widgets/forms.py @@ -16,7 +16,7 @@ # under the License. import logging -import warnings +from html import escape as html_escape from tg import app_globals as g, tmpl_context as c from formencode import validators as fev @@ -35,8 +35,6 @@ from allura.lib import plugin from allura.lib.widgets import form_fields as ffw from allura.lib import exceptions as forge_exc from allura import model as M -import six -from functools import reduce log = logging.getLogger(__name__) @@ -104,8 +102,7 @@ class ForgeForm(ew.SimpleForm): or ctx.get('label') or getattr(field, 'label', None) or ctx['name']) - html = '<label for="{}">{}</label>'.format( - ctx['id'], label_text) + html = '<label for="{}">{}</label>'.format(html_escape(ctx['id']), html_escape(label_text)) return Markup(html) def context_for(self, field): diff --git a/Allura/allura/lib/widgets/resources/js/post.js b/Allura/allura/lib/widgets/resources/js/post.js index 6103944eb..d23c6af9c 100644 --- a/Allura/allura/lib/widgets/resources/js/post.js +++ b/Allura/allura/lib/widgets/resources/js/post.js @@ -76,8 +76,8 @@ } else if (data.username) { flash('User blocked', 'success'); // full page form submit - $('<form method="POST" action="' + $this.data('discussion-url')+'moderate/save_moderation_bulk_user?username=' + $this.attr('data-user') + '&spam=1">' + - '<input name="_session_id" type="hidden" value="'+cval+'"></form>') + $('<form method="POST" action="' + escape_html($this.data('discussion-url'))+'moderate/save_moderation_bulk_user?username=' + escape_html($this.attr('data-user')) + '&spam=1">' + + '<input name="_session_id" type="hidden" value="'+escape_html(cval)+'"></form>') .appendTo('body') .submit(); } else { @@ -162,4 +162,4 @@ }); } }); -}()); \ No newline at end of file +}()); diff --git a/Allura/allura/public/nf/js/site_admin_new_projects.js b/Allura/allura/public/nf/js/site_admin_new_projects.js index 302f4f7ef..b2798a5aa 100644 --- a/Allura/allura/public/nf/js/site_admin_new_projects.js +++ b/Allura/allura/public/nf/js/site_admin_new_projects.js @@ -35,7 +35,7 @@ $(document).ready(function() { $('.js-select-project').change(function() { var shortname = $(this).attr('data-shortname'); if ($(this).is(':checked')) { - $('#selected-projects').append(' ' + shortname); + $('#selected-projects').append(' ' + escape_html(shortname)); } else { var shortnames = $('#selected-projects').text().split(' '); for (var i = 0; i < shortnames.length; i++) { diff --git a/ForgeTracker/forgetracker/templates/tracker/ticket.html b/ForgeTracker/forgetracker/templates/tracker/ticket.html index 9136127f5..e17020bf7 100644 --- a/ForgeTracker/forgetracker/templates/tracker/ticket.html +++ b/ForgeTracker/forgetracker/templates/tracker/ticket.html @@ -228,7 +228,7 @@ view_holder.show(); discussion_holder.show(); ticket_content.show(); - title_holder.find('span').html(original_title_text) + title_holder.find('span').text(original_title_text); title_actions.appendTo(title_holder); title_actions.show(); vote.show(); diff --git a/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js b/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js index 35d91aa92..886f973ef 100644 --- a/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js +++ b/ForgeTracker/forgetracker/widgets/resources/js/mass-edit.js @@ -19,10 +19,10 @@ $(function(){ $form = $('#update-values'); - if ($form.length == 0) { + if ($form.length === 0) { $form = $('.editbox > form'); } - if ($('#id_search').length == 0) { + if ($('#id_search').length === 0) { $form.append('<input type="hidden" name="__search" id="id_search">'); } $('#id_search').val(window.location.search); diff --git a/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js b/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js index 5c0a3f687..a11f858df 100644 --- a/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js +++ b/ForgeTracker/forgetracker/widgets/resources/js/ticket-list.js @@ -46,7 +46,7 @@ '&filter=' + encodeURIComponent(JSON.stringify(filter)); // preserve displayed columns, when filter changes $('#col_list_form input').each(function() { - if (this.name.indexOf('columns-') == 0) { + if (this.name.indexOf('columns-') === 0) { var inp = $(this); var val = inp.val(); if (inp.is(':checkbox') && !inp.is(':checked')) { val = ''; }