[tryton-commits] changeset in sao:5.4 Prepare release 5.4.10 [skip ci]
changeset 97506c0c3b50 in sao:5.4 details: https://hg.tryton.org/sao?cmd=changeset;node=97506c0c3b50 description: Prepare release 5.4.10 [skip ci] diffstat: CHANGELOG | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (9 lines): diff -r ce5339fc07c1 -r 97506c0c3b50 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 +++ b/CHANGELOG Mon Jun 29 18:05:57 2020 +0200 @@ -1,3 +1,5 @@ +Version 5.4.10 - 2020-06-29 +* Bug fixes (see mercurial logs for details) * Sanitize RichtText fields content (issue9405) * Escape external string (issue9394)
[tryton-commits] changeset in sao:5.0 Sanitize RichtText fields content
changeset 72fd59da9505 in sao:5.0
details: https://hg.tryton.org/sao?cmd=changeset;node=72fd59da9505
description:
Sanitize RichtText fields content
issue9405
review327451002
(grafted from 4e0e93b11cad63c6b25f5230055653edb21a334c)
diffstat:
CHANGELOG |1 +
COPYRIGHT |1 +
Gruntfile.js |3 +-
src/html_sanitizer.js | 105 ++
src/view/form.js |5 +-
tests/sao.js | 19 +
6 files changed, 131 insertions(+), 3 deletions(-)
diffs (192 lines):
diff -r 19a307dc7455 -r 72fd59da9505 CHANGELOG
--- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200
@@ -1,3 +1,4 @@
+* Sanitize RichtText fields content (issue9405)
* Escape external string (issue9394)
Version 5.0.25 - 2020-06-16
diff -r 19a307dc7455 -r 72fd59da9505 COPYRIGHT
--- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200
+++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200
@@ -2,6 +2,7 @@
Copyright (C) 2012-2020 Cédric Krier.
Copyright (C) 2012-2014 Bertrand Chenal.
Copyright (C) 2012-2020 B2CK SPRL.
+Copyright (C) 2019 Jitbit.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff -r 19a307dc7455 -r 72fd59da9505 Gruntfile.js
--- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200
+++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200
@@ -21,7 +21,8 @@
'src/window.js',
'src/wizard.js',
'src/board.js',
- 'src/bus.js'
+ 'src/bus.js',
+ 'src/html_sanitizer.js'
];
// Project configuration.
diff -r 19a307dc7455 -r 72fd59da9505 src/html_sanitizer.js
--- /dev/null Thu Jan 01 00:00:00 1970 +
+++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200
@@ -0,0 +1,105 @@
+/*
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+(function () {
+'use strict';
+
+var tag_whitelist = {
+B: true,
+BODY: true,
+BR: true,
+DIV: true,
+FONT: true,
+I: true,
+U: true,
+};
+
+var attribute_whitelist = {
+align: true,
+color: true,
+face: true,
+size: true,
+};
+
+Sao.HtmlSanitizer = {};
+Sao.HtmlSanitizer.sanitize = function(input) {
+input = input.trim();
+// to save performance and not create iframe
+if (input === "") return "";
+
+// firefox "bogus node" workaround
+if (input == "") return "";
+
+var iframe = document.createElement('iframe');
+if (iframe.sandbox === undefined) {
+// Browser does not support sandboxed iframes
+console.warn("Your browser do not support sandboxed iframes," +
+" unable to sanitize HTML.");
+return input;
+}
+iframe.sandbox = 'allow-same-origin';
+iframe.style.display = 'none';
+// necessary so the iframe contains a document
+document.body.appendChild(iframe);
+var iframedoc = (iframe.contentDocument ||
+iframe.contentWindow.document);
+// null in IE
+if (iframedoc.body === null) {
+iframedoc.write("");
+}
+iframedoc.body.innerHTML = input;
+
+function make_sanitized_copy(node) {
+var new_node;
+if (node.nodeType == Node.TEXT_NODE) {
+new_node = node.cloneNode(true);
+} else if (node.nodeType == Node.ELEMENT_NODE &&
+tag_whitelist[node.tagName]) {
+//remove useless empty tags
+if ((node.tagName != "BR") && node.innerHTML.trim() === "") {
+return document.createDocumentFragment();
+}
+
+new_node = iframedoc.createElement(node.tagName);
+
+for (var i = 0; i < node.attributes.length; i++) {
+var attr = node.attributes[i];
+
[tryton-commits] changeset in sao:5.4 Add tag 5.4.10 [skip ci]
changeset 70e5cf36fb5d in sao:5.4 details: https://hg.tryton.org/sao?cmd=changeset;node=70e5cf36fb5d description: Add tag 5.4.10 [skip ci] diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 97506c0c3b50 -r 70e5cf36fb5d .hgtags --- a/.hgtags Mon Jun 29 18:05:57 2020 +0200 +++ b/.hgtags Mon Jun 29 18:05:57 2020 +0200 @@ -16,3 +16,4 @@ 6d350cbb98a5c0da216ed1448a9d39882739f5f0 5.4.7 12b9edf2ce60d1db4283a8c61a946948ed29b0c6 5.4.8 17b2271bba6ff583b369a08c7ce2cdeeb57451d0 5.4.9 +97506c0c3b50aa1a27d3ae732c564b46097a774a 5.4.10
[tryton-commits] changeset in sao:5.6 Increase version number
changeset 9692165a0478 in sao:5.6
details: https://hg.tryton.org/sao?cmd=changeset;node=9692165a0478
description:
Increase version number
diffstat:
package.json | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff -r a7a019c7d39b -r 9692165a0478 package.json
--- a/package.json Mon Jun 29 18:05:28 2020 +0200
+++ b/package.json Mon Jun 29 18:05:38 2020 +0200
@@ -2,7 +2,7 @@
"name": "tryton-sao",
"title": "sao",
"description": "Tryton webclient",
- "version": "5.6.4",
+ "version": "5.6.5",
"homepage": "http://www.tryton.org/;,
"author": {
"name": "Tryton"
[tryton-commits] changeset in sao:5.0 Increase version number
changeset ad4f804fd8ab in sao:5.0
details: https://hg.tryton.org/sao?cmd=changeset;node=ad4f804fd8ab
description:
Increase version number
diffstat:
package.json | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff -r 1c80aecc364c -r ad4f804fd8ab package.json
--- a/package.json Mon Jun 29 18:06:51 2020 +0200
+++ b/package.json Mon Jun 29 18:07:10 2020 +0200
@@ -2,7 +2,7 @@
"name": "tryton-sao",
"title": "sao",
"description": "Tryton webclient",
- "version": "5.0.26",
+ "version": "5.0.27",
"homepage": "http://www.tryton.org/;,
"author": {
"name": "Tryton"
[tryton-commits] changeset in sao:5.4 Increase version number
changeset 25e876149373 in sao:5.4
details: https://hg.tryton.org/sao?cmd=changeset;node=25e876149373
description:
Increase version number
diffstat:
package.json | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff -r 70e5cf36fb5d -r 25e876149373 package.json
--- a/package.json Mon Jun 29 18:05:57 2020 +0200
+++ b/package.json Mon Jun 29 18:06:07 2020 +0200
@@ -2,7 +2,7 @@
"name": "tryton-sao",
"title": "sao",
"description": "Tryton webclient",
- "version": "5.4.10",
+ "version": "5.4.11",
"homepage": "http://www.tryton.org/;,
"author": {
"name": "Tryton"
[tryton-commits] changeset in sao:5.0 Add tag 5.0.26 [skip ci]
changeset 1c80aecc364c in sao:5.0 details: https://hg.tryton.org/sao?cmd=changeset;node=1c80aecc364c description: Add tag 5.0.26 [skip ci] diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 39c9b6f84551 -r 1c80aecc364c .hgtags --- a/.hgtags Mon Jun 29 18:06:51 2020 +0200 +++ b/.hgtags Mon Jun 29 18:06:51 2020 +0200 @@ -30,3 +30,4 @@ 0cf45fdaf8ef012b5a996491c7c26e2ce093ebbc 5.0.23 88d288d15ae9c11ff5b453495aae0f80e636a663 5.0.24 9773f7f4e0e644ca23427db3c85269cf6bde8d88 5.0.25 +39c9b6f84551a8e1cb05d1946b571bf325fb8f53 5.0.26
[tryton-commits] changeset in sao:5.2 Increase version number
changeset 5e59a9e42cc7 in sao:5.2
details: https://hg.tryton.org/sao?cmd=changeset;node=5e59a9e42cc7
description:
Increase version number
diffstat:
package.json | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff -r f475a27aff4f -r 5e59a9e42cc7 package.json
--- a/package.json Mon Jun 29 18:06:26 2020 +0200
+++ b/package.json Mon Jun 29 18:06:39 2020 +0200
@@ -2,7 +2,7 @@
"name": "tryton-sao",
"title": "sao",
"description": "Tryton webclient",
- "version": "5.2.18",
+ "version": "5.2.19",
"homepage": "http://www.tryton.org/;,
"author": {
"name": "Tryton"
[tryton-commits] changeset in sao:5.2 Prepare release 5.2.18 [skip ci]
changeset 1c6f86747ce5 in sao:5.2 details: https://hg.tryton.org/sao?cmd=changeset;node=1c6f86747ce5 description: Prepare release 5.2.18 [skip ci] diffstat: CHANGELOG | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (9 lines): diff -r 8d59d1bf1568 -r 1c6f86747ce5 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 +++ b/CHANGELOG Mon Jun 29 18:06:25 2020 +0200 @@ -1,3 +1,5 @@ +Version 5.2.18 - 2020-06-29 +* Bug fixes (see mercurial logs for details) * Sanitize RichtText fields content (issue9405) * Escape external string (issue9394)
[tryton-commits] changeset in sao:5.6 Add tag 5.6.4 [skip ci]
changeset a7a019c7d39b in sao:5.6 details: https://hg.tryton.org/sao?cmd=changeset;node=a7a019c7d39b description: Add tag 5.6.4 [skip ci] diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 231e8a94d0c0 -r a7a019c7d39b .hgtags --- a/.hgtags Mon Jun 29 18:05:28 2020 +0200 +++ b/.hgtags Mon Jun 29 18:05:28 2020 +0200 @@ -11,3 +11,4 @@ b073190a89ff1af0fd44f9890615a18c4bf10b19 5.6.1 b1894a51a1d36450adae73d283864031d2447900 5.6.2 2bc101e7b842ba2b10244682cd4a75d79e3830b2 5.6.3 +231e8a94d0c0f7303e489e3573e16bb9ab3e1bf9 5.6.4
[tryton-commits] changeset in sao:5.2 Sanitize RichtText fields content
changeset 8d59d1bf1568 in sao:5.2
details: https://hg.tryton.org/sao?cmd=changeset;node=8d59d1bf1568
description:
Sanitize RichtText fields content
issue9405
review327451002
(grafted from 4e0e93b11cad63c6b25f5230055653edb21a334c)
diffstat:
CHANGELOG |1 +
COPYRIGHT |1 +
Gruntfile.js |3 +-
src/html_sanitizer.js | 105 ++
src/view/form.js |5 +-
tests/sao.js | 19 +
6 files changed, 131 insertions(+), 3 deletions(-)
diffs (192 lines):
diff -r bb05591968e8 -r 8d59d1bf1568 CHANGELOG
--- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200
@@ -1,3 +1,4 @@
+* Sanitize RichtText fields content (issue9405)
* Escape external string (issue9394)
Version 5.2.17 - 2020-06-16
diff -r bb05591968e8 -r 8d59d1bf1568 COPYRIGHT
--- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200
+++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200
@@ -2,6 +2,7 @@
Copyright (C) 2012-2020 Cédric Krier.
Copyright (C) 2012-2014 Bertrand Chenal.
Copyright (C) 2012-2020 B2CK SPRL.
+Copyright (C) 2019 Jitbit.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff -r bb05591968e8 -r 8d59d1bf1568 Gruntfile.js
--- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200
+++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200
@@ -23,7 +23,8 @@
'src/wizard.js',
'src/board.js',
'src/bus.js',
- 'src/plugins.js'
+ 'src/plugins.js',
+ 'src/html_sanitizer.js'
];
// Project configuration.
diff -r bb05591968e8 -r 8d59d1bf1568 src/html_sanitizer.js
--- /dev/null Thu Jan 01 00:00:00 1970 +
+++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200
@@ -0,0 +1,105 @@
+/*
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+(function () {
+'use strict';
+
+var tag_whitelist = {
+B: true,
+BODY: true,
+BR: true,
+DIV: true,
+FONT: true,
+I: true,
+U: true,
+};
+
+var attribute_whitelist = {
+align: true,
+color: true,
+face: true,
+size: true,
+};
+
+Sao.HtmlSanitizer = {};
+Sao.HtmlSanitizer.sanitize = function(input) {
+input = input.trim();
+// to save performance and not create iframe
+if (input == "") return "";
+
+// firefox "bogus node" workaround
+if (input == "") return "";
+
+var iframe = document.createElement('iframe');
+if (iframe.sandbox === undefined) {
+// Browser does not support sandboxed iframes
+console.warn("Your browser do not support sandboxed iframes," +
+" unable to sanitize HTML.");
+return input;
+}
+iframe.sandbox = 'allow-same-origin';
+iframe.style.display = 'none';
+// necessary so the iframe contains a document
+document.body.appendChild(iframe);
+var iframedoc = (iframe.contentDocument ||
+iframe.contentWindow.document);
+// null in IE
+if (iframedoc.body == null) {
+iframedoc.write("");
+}
+iframedoc.body.innerHTML = input;
+
+function make_sanitized_copy(node) {
+var new_node;
+if (node.nodeType == Node.TEXT_NODE) {
+new_node = node.cloneNode(true);
+} else if (node.nodeType == Node.ELEMENT_NODE &&
+tag_whitelist[node.tagName]) {
+//remove useless empty tags
+if ((node.tagName != "BR") && node.innerHTML.trim() == "") {
+return document.createDocumentFragment();
+}
+
+new_node = iframedoc.createElement(node.tagName);
+
+for (var i = 0; i < node.attributes.length; i++) {
+var attr = node.attributes[i];
+
[tryton-commits] changeset in sao:5.2 Add tag 5.2.18 [skip ci]
changeset f475a27aff4f in sao:5.2 details: https://hg.tryton.org/sao?cmd=changeset;node=f475a27aff4f description: Add tag 5.2.18 [skip ci] diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 1c6f86747ce5 -r f475a27aff4f .hgtags --- a/.hgtags Mon Jun 29 18:06:25 2020 +0200 +++ b/.hgtags Mon Jun 29 18:06:26 2020 +0200 @@ -23,3 +23,4 @@ 64dae366402d60f26a5334e4e7c14333014a7844 5.2.15 dd3052b1e63b52963001f3021b232d0c09acab59 5.2.16 e65e54e30b11e782cb68bf5e68cfc581cfdac1d4 5.2.17 +1c6f86747ce59431fcbd0be4f30f0edcc0ac8b3d 5.2.18
[tryton-commits] changeset in sao:5.6 Prepare release 5.6.4 [skip ci]
changeset 231e8a94d0c0 in sao:5.6 details: https://hg.tryton.org/sao?cmd=changeset;node=231e8a94d0c0 description: Prepare release 5.6.4 [skip ci] diffstat: CHANGELOG | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (9 lines): diff -r bea22c5b2072 -r 231e8a94d0c0 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 +++ b/CHANGELOG Mon Jun 29 18:05:28 2020 +0200 @@ -1,3 +1,5 @@ +Version 5.6.4 - 2020-06-29 +* Bug fixes (see mercurial logs for details) * Sanitize RichtText fields content (issue9405) * Escape external string (issue9394)
[tryton-commits] changeset in sao:5.0 Prepare release 5.0.26 [skip ci]
changeset 39c9b6f84551 in sao:5.0 details: https://hg.tryton.org/sao?cmd=changeset;node=39c9b6f84551 description: Prepare release 5.0.26 [skip ci] diffstat: CHANGELOG | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (9 lines): diff -r 72fd59da9505 -r 39c9b6f84551 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 +++ b/CHANGELOG Mon Jun 29 18:06:51 2020 +0200 @@ -1,3 +1,5 @@ +Version 5.0.26 - 2020-06-29 +* Bug fixes (see mercurial logs for details) * Sanitize RichtText fields content (issue9405) * Escape external string (issue9394)
[tryton-commits] changeset in sao:5.6 Escape external strings
changeset 6d7c2dbd02a4 in sao:5.6
details: https://hg.tryton.org/sao?cmd=changeset;node=6d7c2dbd02a4
description:
Escape external strings
issue9394
review293931002
(grafted from d1858845ab3aebd0788b18c667c58617ee54ad4f)
diffstat:
CHANGELOG| 2 ++
src/tab.js | 6 +++---
src/view/form.js | 2 +-
src/view/tree.js | 8
src/window.js| 16
5 files changed, 18 insertions(+), 16 deletions(-)
diffs (160 lines):
diff -r c553b983d10a -r 6d7c2dbd02a4 CHANGELOG
--- a/CHANGELOG Wed Jun 17 13:51:41 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
@@ -1,3 +1,5 @@
+* Escape external string (issue9394)
+
Version 5.6.3 - 2020-06-16
* Bug fixes (see mercurial logs for details)
diff -r c553b983d10a -r 6d7c2dbd02a4 src/tab.js
--- a/src/tab.jsWed Jun 17 13:51:41 2020 +0200
+++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200
@@ -406,7 +406,7 @@
role: 'tabpanel',
'class': 'tab-pane',
id: tab.id
-}).html(tab.el)
+}).append(tab.el)
.appendTo(tabcontent);
tab_link.tab('show');
tabs.trigger('ready');
@@ -1358,7 +1358,7 @@
}.bind(this));
this.create_tabcontent();
this.set_name(this.name);
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
},
compare: function(attributes) {
if (!attributes) {
@@ -1398,7 +1398,7 @@
this.set_name(wizard.name);
wizard.tab = this;
this.create_tabcontent();
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
this.el.append(wizard.form);
},
create_toolbar: function() {
diff -r c553b983d10a -r 6d7c2dbd02a4 src/view/form.js
--- a/src/view/form.js Wed Jun 17 13:51:41 2020 +0200
+++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200
@@ -780,7 +780,7 @@
.append(img)
.text(text))
.appendTo(this.nav);
-pane.html(tab).appendTo(this.panes);
+pane.append(tab).appendTo(this.panes);
if (!this.selected) {
// Can not use .tab('show')
page.addClass('active');
diff -r c553b983d10a -r 6d7c2dbd02a4 src/view/tree.js
--- a/src/view/tree.js Wed Jun 17 13:51:41 2020 +0200
+++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200
@@ -1336,7 +1336,7 @@
if (item.length) {
prefix.render(this.record, item);
} else {
-prefix_el.html(prefix.render(this.record));
+
prefix_el.empty().append(prefix.render(this.record));
}
}
}
@@ -1345,7 +1345,7 @@
if (item.length) {
column.render(this.record, item);
} else {
-widget.html(column.render(this.record));
+widget.empty().append(column.render(this.record));
}
if (column.suffixes) {
for (var k = 0; k < column.suffixes.length; k++) {
@@ -1355,7 +1355,7 @@
if (item.length) {
suffix.render(this.record, item);
} else {
-suffix_el.html(suffix.render(this.record));
+
suffix_el.empty().append(suffix.render(this.record));
}
}
}
@@ -1692,7 +1692,7 @@
this.tree.columns.forEach(function(col, idx) {
var td = this._get_column_td(idx);
var static_el = this.get_static_el(td);
-static_el.html(col.render(this.record)).show();
+static_el.empty().append(col.render(this.record)).show();
this.get_editable_el(td)
.empty()
.data('widget', null)
diff -r c553b983d10a -r 6d7c2dbd02a4 src/window.js
--- a/src/window.js Wed Jun 17 13:51:41 2020 +0200
+++ b/src/window.js Mon Jun 29 17:29:45 2020 +0200
@@ -1092,7 +1092,7 @@
for(var i=0; i', {
'val': this.encodings[i]
-}).html(this.encodings[i]).appendTo(this.el_csv_encoding);
+}).append(this.encodings[i]).appendTo(this.el_csv_encoding);
}
var enc = 'utf-8';
@@ -1194,7 +1194,7 @@
var field = el_field.attr('field');
var node = jQuery('', {
'field': field,
-}).html(el_field.attr('name')).click(function(e) {
+}).text(el_field.attr('name')).click(function(e) {
if (e.ctrlKey) {
[tryton-commits] changeset in sao:5.4 Sanitize RichtText fields content
changeset ce5339fc07c1 in sao:5.4
details: https://hg.tryton.org/sao?cmd=changeset;node=ce5339fc07c1
description:
Sanitize RichtText fields content
issue9405
review327451002
(grafted from 4e0e93b11cad63c6b25f5230055653edb21a334c)
diffstat:
CHANGELOG |1 +
COPYRIGHT |1 +
Gruntfile.js |3 +-
src/html_sanitizer.js | 105 ++
src/view/form.js |5 +-
tests/sao.js | 19 +
6 files changed, 131 insertions(+), 3 deletions(-)
diffs (192 lines):
diff -r 9997dcd8f948 -r ce5339fc07c1 CHANGELOG
--- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200
@@ -1,3 +1,4 @@
+* Sanitize RichtText fields content (issue9405)
* Escape external string (issue9394)
Version 5.4.9 - 2020-06-16
diff -r 9997dcd8f948 -r ce5339fc07c1 COPYRIGHT
--- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200
+++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200
@@ -2,6 +2,7 @@
Copyright (C) 2012-2020 Cédric Krier.
Copyright (C) 2012-2014 Bertrand Chenal.
Copyright (C) 2012-2020 B2CK SPRL.
+Copyright (C) 2019 Jitbit.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff -r 9997dcd8f948 -r ce5339fc07c1 Gruntfile.js
--- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200
+++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200
@@ -23,7 +23,8 @@
'src/wizard.js',
'src/board.js',
'src/bus.js',
- 'src/plugins.js'
+ 'src/plugins.js',
+ 'src/html_sanitizer.js'
];
// Project configuration.
diff -r 9997dcd8f948 -r ce5339fc07c1 src/html_sanitizer.js
--- /dev/null Thu Jan 01 00:00:00 1970 +
+++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200
@@ -0,0 +1,105 @@
+/*
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+(function () {
+'use strict';
+
+var tag_whitelist = {
+B: true,
+BODY: true,
+BR: true,
+DIV: true,
+FONT: true,
+I: true,
+U: true,
+};
+
+var attribute_whitelist = {
+align: true,
+color: true,
+face: true,
+size: true,
+};
+
+Sao.HtmlSanitizer = {};
+Sao.HtmlSanitizer.sanitize = function(input) {
+input = input.trim();
+// to save performance and not create iframe
+if (input == "") return "";
+
+// firefox "bogus node" workaround
+if (input == "") return "";
+
+var iframe = document.createElement('iframe');
+if (iframe.sandbox === undefined) {
+// Browser does not support sandboxed iframes
+console.warn("Your browser do not support sandboxed iframes," +
+" unable to sanitize HTML.");
+return input;
+}
+iframe.sandbox = 'allow-same-origin';
+iframe.style.display = 'none';
+// necessary so the iframe contains a document
+document.body.appendChild(iframe);
+var iframedoc = (iframe.contentDocument ||
+iframe.contentWindow.document);
+// null in IE
+if (iframedoc.body == null) {
+iframedoc.write("");
+}
+iframedoc.body.innerHTML = input;
+
+function make_sanitized_copy(node) {
+var new_node;
+if (node.nodeType == Node.TEXT_NODE) {
+new_node = node.cloneNode(true);
+} else if (node.nodeType == Node.ELEMENT_NODE &&
+tag_whitelist[node.tagName]) {
+//remove useless empty tags
+if ((node.tagName != "BR") && node.innerHTML.trim() == "") {
+return document.createDocumentFragment();
+}
+
+new_node = iframedoc.createElement(node.tagName);
+
+for (var i = 0; i < node.attributes.length; i++) {
+var attr = node.attributes[i];
+
[tryton-commits] changeset in sao:5.0 Escape external strings
changeset 19a307dc7455 in sao:5.0
details: https://hg.tryton.org/sao?cmd=changeset;node=19a307dc7455
description:
Escape external strings
issue9394
review293931002
(grafted from d1858845ab3aebd0788b18c667c58617ee54ad4f)
diffstat:
CHANGELOG| 2 ++
src/tab.js | 6 +++---
src/view/form.js | 2 +-
src/view/tree.js | 7 ---
src/window.js| 12 ++--
5 files changed, 16 insertions(+), 13 deletions(-)
diffs (146 lines):
diff -r 1a8595d04dbe -r 19a307dc7455 CHANGELOG
--- a/CHANGELOG Tue Jun 16 19:15:14 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
@@ -1,3 +1,5 @@
+* Escape external string (issue9394)
+
Version 5.0.25 - 2020-06-16
* Bug fixes (see mercurial logs for details)
diff -r 1a8595d04dbe -r 19a307dc7455 src/tab.js
--- a/src/tab.jsTue Jun 16 19:15:14 2020 +0200
+++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200
@@ -449,7 +449,7 @@
role: 'tabpanel',
'class': 'tab-pane',
id: tab.id
-}).html(tab.el)
+}).append(tab.el)
.appendTo(tabcontent);
tab_link.tab('show');
tabs.trigger('ready');
@@ -1182,7 +1182,7 @@
}.bind(this));
this.create_tabcontent();
this.set_name(this.name);
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
},
compare: function(attributes) {
if (!attributes) {
@@ -1222,7 +1222,7 @@
this.set_name(wizard.name);
wizard.tab = this;
this.create_tabcontent();
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
this.el.append(wizard.form);
},
create_toolbar: function() {
diff -r 1a8595d04dbe -r 19a307dc7455 src/view/form.js
--- a/src/view/form.js Tue Jun 16 19:15:14 2020 +0200
+++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200
@@ -798,7 +798,7 @@
.append(img)
.text(text))
.appendTo(this.nav);
-pane.html(tab).appendTo(this.panes);
+pane.append(tab).appendTo(this.panes);
if (!this.selected) {
// Can not use .tab('show')
page.addClass('active');
diff -r 1a8595d04dbe -r 19a307dc7455 src/view/tree.js
--- a/src/view/tree.js Tue Jun 16 19:15:14 2020 +0200
+++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200
@@ -996,6 +996,7 @@
prefix.render(this.record, cell);
} else {
prefix_el.html(prefix.render(this.record));
+
prefix_el.empty().append(prefix.render(this.record));
}
}
}
@@ -1004,7 +1005,7 @@
if (cell.length) {
column.render(this.record, cell);
} else {
-widget.html(column.render(this.record));
+widget.empty().append(column.render(this.record));
}
if (column.suffixes) {
for (var k = 0; k < column.suffixes.length; k++) {
@@ -1014,7 +1015,7 @@
if (cell.length) {
suffix.render(this.record, cell);
} else {
-suffix_el.html(suffix.render(this.record));
+
suffix_el.empty().append(suffix.render(this.record));
}
}
}
@@ -1302,7 +1303,7 @@
this.tree.columns.forEach(function(col, idx) {
var td = this._get_column_td(idx);
var static_el = this.get_static_el(td);
-static_el.html(col.render(this.record)).show();
+static_el.empty().append(col.render(this.record)).show();
this.get_editable_el(td)
.empty()
.data('widget', null)
diff -r 1a8595d04dbe -r 19a307dc7455 src/window.js
--- a/src/window.js Tue Jun 16 19:15:14 2020 +0200
+++ b/src/window.js Mon Jun 29 17:29:45 2020 +0200
@@ -1065,7 +1065,7 @@
for(var i=0; i', {
'val': this.encodings[i]
-}).html(this.encodings[i]).appendTo(this.el_csv_encoding);
+}).append(this.encodings[i]).appendTo(this.el_csv_encoding);
}
var enc = 'utf-8';
@@ -1171,7 +1171,7 @@
var field = el_field.attr('field');
var node = jQuery('', {
'field': field,
-}).html(el_field.attr('name')).click(function(e) {
+}).text(el_field.attr('name')).click(function(e) {
if (e.ctrlKey) {
node.toggleClass('bg-primary');
} else {
@@ -1195,7 +1195,7 @@
var node = jQuery('', {
[tryton-commits] changeset in sao:default Sanitize RichtText fields content
changeset 4e0e93b11cad in sao:default
details: https://hg.tryton.org/sao?cmd=changeset;node=4e0e93b11cad
description:
Sanitize RichtText fields content
issue9405
review327451002
diffstat:
CHANGELOG |1 +
COPYRIGHT |1 +
Gruntfile.js |3 +-
src/html_sanitizer.js | 105 ++
src/view/form.js |5 +-
tests/sao.js | 19 +
6 files changed, 131 insertions(+), 3 deletions(-)
diffs (192 lines):
diff -r d1858845ab3a -r 4e0e93b11cad CHANGELOG
--- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200
@@ -1,3 +1,4 @@
+* Sanitize RichtText fields content (issue9405)
* Escape external string (issue9394)
* Keep context in sessionStorage
* Use existing context for get_preferences
diff -r d1858845ab3a -r 4e0e93b11cad COPYRIGHT
--- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200
+++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200
@@ -2,6 +2,7 @@
Copyright (C) 2012-2020 Cédric Krier.
Copyright (C) 2012-2014 Bertrand Chenal.
Copyright (C) 2012-2020 B2CK SPRL.
+Copyright (C) 2019 Jitbit.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff -r d1858845ab3a -r 4e0e93b11cad Gruntfile.js
--- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200
+++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200
@@ -23,7 +23,8 @@
'src/wizard.js',
'src/board.js',
'src/bus.js',
- 'src/plugins.js'
+ 'src/plugins.js',
+ 'src/html_sanitizer.js'
];
// Project configuration.
diff -r d1858845ab3a -r 4e0e93b11cad src/html_sanitizer.js
--- /dev/null Thu Jan 01 00:00:00 1970 +
+++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200
@@ -0,0 +1,105 @@
+/*
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+(function () {
+'use strict';
+
+var tag_whitelist = {
+B: true,
+BODY: true,
+BR: true,
+DIV: true,
+FONT: true,
+I: true,
+U: true,
+};
+
+var attribute_whitelist = {
+align: true,
+color: true,
+face: true,
+size: true,
+};
+
+Sao.HtmlSanitizer = {};
+Sao.HtmlSanitizer.sanitize = function(input) {
+input = input.trim();
+// to save performance and not create iframe
+if (input == "") return "";
+
+// firefox "bogus node" workaround
+if (input == "") return "";
+
+var iframe = document.createElement('iframe');
+if (iframe.sandbox === undefined) {
+// Browser does not support sandboxed iframes
+console.warn("Your browser do not support sandboxed iframes," +
+" unable to sanitize HTML.");
+return input;
+}
+iframe.sandbox = 'allow-same-origin';
+iframe.style.display = 'none';
+// necessary so the iframe contains a document
+document.body.appendChild(iframe);
+var iframedoc = (iframe.contentDocument ||
+iframe.contentWindow.document);
+// null in IE
+if (iframedoc.body == null) {
+iframedoc.write("");
+}
+iframedoc.body.innerHTML = input;
+
+function make_sanitized_copy(node) {
+var new_node;
+if (node.nodeType == Node.TEXT_NODE) {
+new_node = node.cloneNode(true);
+} else if (node.nodeType == Node.ELEMENT_NODE &&
+tag_whitelist[node.tagName]) {
+//remove useless empty tags
+if ((node.tagName != "BR") && node.innerHTML.trim() == "") {
+return document.createDocumentFragment();
+}
+
+new_node = iframedoc.createElement(node.tagName);
+
+for (var i = 0; i < node.attributes.length; i++) {
+var attr = node.attributes[i];
+if
[tryton-commits] changeset in sao:5.4 Escape external strings
changeset 9997dcd8f948 in sao:5.4
details: https://hg.tryton.org/sao?cmd=changeset;node=9997dcd8f948
description:
Escape external strings
issue9394
review293931002
(grafted from d1858845ab3aebd0788b18c667c58617ee54ad4f)
diffstat:
CHANGELOG| 2 ++
src/tab.js | 6 +++---
src/view/form.js | 2 +-
src/view/tree.js | 8
src/window.js| 12 ++--
5 files changed, 16 insertions(+), 14 deletions(-)
diffs (147 lines):
diff -r bbf704614f1b -r 9997dcd8f948 CHANGELOG
--- a/CHANGELOG Tue Jun 16 19:13:56 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
@@ -1,3 +1,5 @@
+* Escape external string (issue9394)
+
Version 5.4.9 - 2020-06-16
* Bug fixes (see mercurial logs for details)
diff -r bbf704614f1b -r 9997dcd8f948 src/tab.js
--- a/src/tab.jsTue Jun 16 19:13:56 2020 +0200
+++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200
@@ -406,7 +406,7 @@
role: 'tabpanel',
'class': 'tab-pane',
id: tab.id
-}).html(tab.el)
+}).append(tab.el)
.appendTo(tabcontent);
tab_link.tab('show');
tabs.trigger('ready');
@@ -1361,7 +1361,7 @@
}.bind(this));
this.create_tabcontent();
this.set_name(this.name);
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
},
compare: function(attributes) {
if (!attributes) {
@@ -1401,7 +1401,7 @@
this.set_name(wizard.name);
wizard.tab = this;
this.create_tabcontent();
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
this.el.append(wizard.form);
},
create_toolbar: function() {
diff -r bbf704614f1b -r 9997dcd8f948 src/view/form.js
--- a/src/view/form.js Tue Jun 16 19:13:56 2020 +0200
+++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200
@@ -755,7 +755,7 @@
.append(img)
.text(text))
.appendTo(this.nav);
-pane.html(tab).appendTo(this.panes);
+pane.append(tab).appendTo(this.panes);
if (!this.selected) {
// Can not use .tab('show')
page.addClass('active');
diff -r bbf704614f1b -r 9997dcd8f948 src/view/tree.js
--- a/src/view/tree.js Tue Jun 16 19:13:56 2020 +0200
+++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200
@@ -1279,7 +1279,7 @@
if (item.length) {
prefix.render(this.record, item);
} else {
-prefix_el.html(prefix.render(this.record));
+
prefix_el.empty().append(prefix.render(this.record));
}
}
}
@@ -1288,7 +1288,7 @@
if (item.length) {
column.render(this.record, item);
} else {
-widget.html(column.render(this.record));
+widget.empty().append(column.render(this.record));
}
if (column.suffixes) {
for (var k = 0; k < column.suffixes.length; k++) {
@@ -1298,7 +1298,7 @@
if (item.length) {
suffix.render(this.record, item);
} else {
-suffix_el.html(suffix.render(this.record));
+
suffix_el.empty().append(suffix.render(this.record));
}
}
}
@@ -1635,7 +1635,7 @@
this.tree.columns.forEach(function(col, idx) {
var td = this._get_column_td(idx);
var static_el = this.get_static_el(td);
-static_el.html(col.render(this.record)).show();
+static_el.empty().append(col.render(this.record)).show();
this.get_editable_el(td)
.empty()
.data('widget', null)
diff -r bbf704614f1b -r 9997dcd8f948 src/window.js
--- a/src/window.js Tue Jun 16 19:13:56 2020 +0200
+++ b/src/window.js Mon Jun 29 17:29:45 2020 +0200
@@ -1094,7 +1094,7 @@
for(var i=0; i', {
'val': this.encodings[i]
-}).html(this.encodings[i]).appendTo(this.el_csv_encoding);
+}).append(this.encodings[i]).appendTo(this.el_csv_encoding);
}
var enc = 'utf-8';
@@ -1196,7 +1196,7 @@
var field = el_field.attr('field');
var node = jQuery('', {
'field': field,
-}).html(el_field.attr('name')).click(function(e) {
+}).text(el_field.attr('name')).click(function(e) {
if (e.ctrlKey) {
[tryton-commits] changeset in sao:5.6 Sanitize RichtText fields content
changeset bea22c5b2072 in sao:5.6
details: https://hg.tryton.org/sao?cmd=changeset;node=bea22c5b2072
description:
Sanitize RichtText fields content
issue9405
review327451002
(grafted from 4e0e93b11cad63c6b25f5230055653edb21a334c)
diffstat:
CHANGELOG |1 +
COPYRIGHT |1 +
Gruntfile.js |3 +-
src/html_sanitizer.js | 105 ++
src/view/form.js |5 +-
tests/sao.js | 19 +
6 files changed, 131 insertions(+), 3 deletions(-)
diffs (192 lines):
diff -r 6d7c2dbd02a4 -r bea22c5b2072 CHANGELOG
--- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200
@@ -1,3 +1,4 @@
+* Sanitize RichtText fields content (issue9405)
* Escape external string (issue9394)
Version 5.6.3 - 2020-06-16
diff -r 6d7c2dbd02a4 -r bea22c5b2072 COPYRIGHT
--- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200
+++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200
@@ -2,6 +2,7 @@
Copyright (C) 2012-2020 Cédric Krier.
Copyright (C) 2012-2014 Bertrand Chenal.
Copyright (C) 2012-2020 B2CK SPRL.
+Copyright (C) 2019 Jitbit.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff -r 6d7c2dbd02a4 -r bea22c5b2072 Gruntfile.js
--- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200
+++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200
@@ -23,7 +23,8 @@
'src/wizard.js',
'src/board.js',
'src/bus.js',
- 'src/plugins.js'
+ 'src/plugins.js',
+ 'src/html_sanitizer.js'
];
// Project configuration.
diff -r 6d7c2dbd02a4 -r bea22c5b2072 src/html_sanitizer.js
--- /dev/null Thu Jan 01 00:00:00 1970 +
+++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200
@@ -0,0 +1,105 @@
+/*
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+(function () {
+'use strict';
+
+var tag_whitelist = {
+B: true,
+BODY: true,
+BR: true,
+DIV: true,
+FONT: true,
+I: true,
+U: true,
+};
+
+var attribute_whitelist = {
+align: true,
+color: true,
+face: true,
+size: true,
+};
+
+Sao.HtmlSanitizer = {};
+Sao.HtmlSanitizer.sanitize = function(input) {
+input = input.trim();
+// to save performance and not create iframe
+if (input == "") return "";
+
+// firefox "bogus node" workaround
+if (input == "") return "";
+
+var iframe = document.createElement('iframe');
+if (iframe.sandbox === undefined) {
+// Browser does not support sandboxed iframes
+console.warn("Your browser do not support sandboxed iframes," +
+" unable to sanitize HTML.");
+return input;
+}
+iframe.sandbox = 'allow-same-origin';
+iframe.style.display = 'none';
+// necessary so the iframe contains a document
+document.body.appendChild(iframe);
+var iframedoc = (iframe.contentDocument ||
+iframe.contentWindow.document);
+// null in IE
+if (iframedoc.body == null) {
+iframedoc.write("");
+}
+iframedoc.body.innerHTML = input;
+
+function make_sanitized_copy(node) {
+var new_node;
+if (node.nodeType == Node.TEXT_NODE) {
+new_node = node.cloneNode(true);
+} else if (node.nodeType == Node.ELEMENT_NODE &&
+tag_whitelist[node.tagName]) {
+//remove useless empty tags
+if ((node.tagName != "BR") && node.innerHTML.trim() == "") {
+return document.createDocumentFragment();
+}
+
+new_node = iframedoc.createElement(node.tagName);
+
+for (var i = 0; i < node.attributes.length; i++) {
+var attr = node.attributes[i];
+
[tryton-commits] changeset in sao:5.2 Escape external strings
changeset bb05591968e8 in sao:5.2
details: https://hg.tryton.org/sao?cmd=changeset;node=bb05591968e8
description:
Escape external strings
issue9394
review293931002
(grafted from d1858845ab3aebd0788b18c667c58617ee54ad4f)
diffstat:
CHANGELOG| 2 ++
src/tab.js | 6 +++---
src/view/form.js | 2 +-
src/view/tree.js | 7 ---
src/window.js| 12 ++--
5 files changed, 16 insertions(+), 13 deletions(-)
diffs (146 lines):
diff -r 9f7eff972320 -r bb05591968e8 CHANGELOG
--- a/CHANGELOG Tue Jun 16 19:14:46 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
@@ -1,3 +1,5 @@
+* Escape external string (issue9394)
+
Version 5.2.17 - 2020-06-16
* Bug fixes (see mercurial logs for details)
diff -r 9f7eff972320 -r bb05591968e8 src/tab.js
--- a/src/tab.jsTue Jun 16 19:14:46 2020 +0200
+++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200
@@ -404,7 +404,7 @@
role: 'tabpanel',
'class': 'tab-pane',
id: tab.id
-}).html(tab.el)
+}).append(tab.el)
.appendTo(tabcontent);
tab_link.tab('show');
tabs.trigger('ready');
@@ -1356,7 +1356,7 @@
}.bind(this));
this.create_tabcontent();
this.set_name(this.name);
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
},
compare: function(attributes) {
if (!attributes) {
@@ -1396,7 +1396,7 @@
this.set_name(wizard.name);
wizard.tab = this;
this.create_tabcontent();
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
this.el.append(wizard.form);
},
create_toolbar: function() {
diff -r 9f7eff972320 -r bb05591968e8 src/view/form.js
--- a/src/view/form.js Tue Jun 16 19:14:46 2020 +0200
+++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200
@@ -730,7 +730,7 @@
.append(img)
.text(text))
.appendTo(this.nav);
-pane.html(tab).appendTo(this.panes);
+pane.append(tab).appendTo(this.panes);
if (!this.selected) {
// Can not use .tab('show')
page.addClass('active');
diff -r 9f7eff972320 -r bb05591968e8 src/view/tree.js
--- a/src/view/tree.js Tue Jun 16 19:14:46 2020 +0200
+++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200
@@ -1004,6 +1004,7 @@
if (cell.length) {
prefix.render(this.record, cell);
} else {
+
prefix_el.empty().append(prefix.render(this.record));
prefix_el.html(prefix.render(this.record));
}
}
@@ -1013,7 +1014,7 @@
if (cell.length) {
column.render(this.record, cell);
} else {
-widget.html(column.render(this.record));
+widget.empty().append(column.render(this.record));
}
if (column.suffixes) {
for (var k = 0; k < column.suffixes.length; k++) {
@@ -1023,7 +1024,7 @@
if (cell.length) {
suffix.render(this.record, cell);
} else {
-suffix_el.html(suffix.render(this.record));
+
suffix_el.empty().append(suffix.render(this.record));
}
}
}
@@ -1327,7 +1328,7 @@
this.tree.columns.forEach(function(col, idx) {
var td = this._get_column_td(idx);
var static_el = this.get_static_el(td);
-static_el.html(col.render(this.record)).show();
+static_el.empty().append(col.render(this.record)).show();
this.get_editable_el(td)
.empty()
.data('widget', null)
diff -r 9f7eff972320 -r bb05591968e8 src/window.js
--- a/src/window.js Tue Jun 16 19:14:46 2020 +0200
+++ b/src/window.js Mon Jun 29 17:29:45 2020 +0200
@@ -1100,7 +1100,7 @@
for(var i=0; i', {
'val': this.encodings[i]
-}).html(this.encodings[i]).appendTo(this.el_csv_encoding);
+}).append(this.encodings[i]).appendTo(this.el_csv_encoding);
}
var enc = 'utf-8';
@@ -1204,7 +1204,7 @@
var field = el_field.attr('field');
var node = jQuery('', {
'field': field,
-}).html(el_field.attr('name')).click(function(e) {
+}).text(el_field.attr('name')).click(function(e) {
if (e.ctrlKey) {
node.toggleClass('bg-primary');
} else {
@@ -1228,7 +1228,7 @@
var node =
[tryton-commits] changeset in sao:default Escape external strings
changeset d1858845ab3a in sao:default
details: https://hg.tryton.org/sao?cmd=changeset;node=d1858845ab3a
description:
Escape external strings
issue9394
review293931002
diffstat:
CHANGELOG| 1 +
src/board.js | 4 ++--
src/tab.js | 6 +++---
src/view/form.js | 2 +-
src/view/tree.js | 8
src/window.js| 16
6 files changed, 19 insertions(+), 18 deletions(-)
diffs (174 lines):
diff -r e2b40d5d11b2 -r d1858845ab3a CHANGELOG
--- a/CHANGELOG Fri Jun 19 00:20:27 2020 +0200
+++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200
@@ -1,3 +1,4 @@
+* Escape external string (issue9394)
* Keep context in sessionStorage
* Use existing context for get_preferences
* Escape external strings (issue9351)
diff -r e2b40d5d11b2 -r d1858845ab3a src/board.js
--- a/src/board.js Fri Jun 19 00:20:27 2020 +0200
+++ b/src/board.js Mon Jun 29 17:29:45 2020 +0200
@@ -137,9 +137,9 @@
params);
if (attributes.string) {
-this.title.html(attributes.string);
+this.title.text(attributes.string);
} else {
-this.title.html(this.action.name);
+this.title.text(this.action.name);
}
this.screen.switch_view().done(function() {
this.body.append(this.screen.screen_container.el);
diff -r e2b40d5d11b2 -r d1858845ab3a src/tab.js
--- a/src/tab.jsFri Jun 19 00:20:27 2020 +0200
+++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200
@@ -406,7 +406,7 @@
role: 'tabpanel',
'class': 'tab-pane',
id: tab.id
-}).html(tab.el)
+}).append(tab.el)
.appendTo(tabcontent);
tab_link.tab('show');
tabs.trigger('ready');
@@ -1358,7 +1358,7 @@
}.bind(this));
this.create_tabcontent();
this.set_name(this.name);
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
},
compare: function(attributes) {
if (!attributes) {
@@ -1398,7 +1398,7 @@
this.set_name(wizard.name);
wizard.tab = this;
this.create_tabcontent();
-this.title.html(this.name_el.text());
+this.title.text(this.name_el.text());
this.el.append(wizard.form);
},
create_toolbar: function() {
diff -r e2b40d5d11b2 -r d1858845ab3a src/view/form.js
--- a/src/view/form.js Fri Jun 19 00:20:27 2020 +0200
+++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200
@@ -780,7 +780,7 @@
.append(img)
.text(text))
.appendTo(this.nav);
-pane.html(tab).appendTo(this.panes);
+pane.append(tab).appendTo(this.panes);
if (!this.selected) {
// Can not use .tab('show')
page.addClass('active');
diff -r e2b40d5d11b2 -r d1858845ab3a src/view/tree.js
--- a/src/view/tree.js Fri Jun 19 00:20:27 2020 +0200
+++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200
@@ -1337,7 +1337,7 @@
if (item.length) {
prefix.render(this.record, item);
} else {
-prefix_el.html(prefix.render(this.record));
+
prefix_el.empty().append(prefix.render(this.record));
}
}
}
@@ -1346,7 +1346,7 @@
if (item.length) {
column.render(this.record, item);
} else {
-widget.html(column.render(this.record));
+widget.empty().append(column.render(this.record));
}
if (column.suffixes) {
for (var k = 0; k < column.suffixes.length; k++) {
@@ -1356,7 +1356,7 @@
if (item.length) {
suffix.render(this.record, item);
} else {
-suffix_el.html(suffix.render(this.record));
+
suffix_el.empty().append(suffix.render(this.record));
}
}
}
@@ -1693,7 +1693,7 @@
this.tree.columns.forEach(function(col, idx) {
var td = this._get_column_td(idx);
var static_el = this.get_static_el(td);
-static_el.html(col.render(this.record)).show();
+static_el.empty().append(col.render(this.record)).show();
this.get_editable_el(td)
.empty()
.data('widget', null)
diff -r e2b40d5d11b2 -r d1858845ab3a src/window.js
--- a/src/window.js Fri Jun 19 00:20:27 2020 +0200
+++
