[tryton-commits] changeset in sao:5.4 Prepare release 5.4.10 [skip ci]
changeset 97506c0c3b50 in sao:5.4 details: https://hg.tryton.org/sao?cmd=changeset;node=97506c0c3b50 description: Prepare release 5.4.10 [skip ci] diffstat: CHANGELOG | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (9 lines): diff -r ce5339fc07c1 -r 97506c0c3b50 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 +++ b/CHANGELOG Mon Jun 29 18:05:57 2020 +0200 @@ -1,3 +1,5 @@ +Version 5.4.10 - 2020-06-29 +* Bug fixes (see mercurial logs for details) * Sanitize RichtText fields content (issue9405) * Escape external string (issue9394)
[tryton-commits] changeset in sao:5.0 Sanitize RichtText fields content
changeset 72fd59da9505 in sao:5.0 details: https://hg.tryton.org/sao?cmd=changeset;node=72fd59da9505 description: Sanitize RichtText fields content issue9405 review327451002 (grafted from 4e0e93b11cad63c6b25f5230055653edb21a334c) diffstat: CHANGELOG |1 + COPYRIGHT |1 + Gruntfile.js |3 +- src/html_sanitizer.js | 105 ++ src/view/form.js |5 +- tests/sao.js | 19 + 6 files changed, 131 insertions(+), 3 deletions(-) diffs (192 lines): diff -r 19a307dc7455 -r 72fd59da9505 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 @@ -1,3 +1,4 @@ +* Sanitize RichtText fields content (issue9405) * Escape external string (issue9394) Version 5.0.25 - 2020-06-16 diff -r 19a307dc7455 -r 72fd59da9505 COPYRIGHT --- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200 +++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200 @@ -2,6 +2,7 @@ Copyright (C) 2012-2020 Cédric Krier. Copyright (C) 2012-2014 Bertrand Chenal. Copyright (C) 2012-2020 B2CK SPRL. +Copyright (C) 2019 Jitbit. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff -r 19a307dc7455 -r 72fd59da9505 Gruntfile.js --- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200 +++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200 @@ -21,7 +21,8 @@ 'src/window.js', 'src/wizard.js', 'src/board.js', - 'src/bus.js' + 'src/bus.js', + 'src/html_sanitizer.js' ]; // Project configuration. diff -r 19a307dc7455 -r 72fd59da9505 src/html_sanitizer.js --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200 @@ -0,0 +1,105 @@ +/* +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ + +(function () { +'use strict'; + +var tag_whitelist = { +B: true, +BODY: true, +BR: true, +DIV: true, +FONT: true, +I: true, +U: true, +}; + +var attribute_whitelist = { +align: true, +color: true, +face: true, +size: true, +}; + +Sao.HtmlSanitizer = {}; +Sao.HtmlSanitizer.sanitize = function(input) { +input = input.trim(); +// to save performance and not create iframe +if (input === "") return ""; + +// firefox "bogus node" workaround +if (input == "") return ""; + +var iframe = document.createElement('iframe'); +if (iframe.sandbox === undefined) { +// Browser does not support sandboxed iframes +console.warn("Your browser do not support sandboxed iframes," + +" unable to sanitize HTML."); +return input; +} +iframe.sandbox = 'allow-same-origin'; +iframe.style.display = 'none'; +// necessary so the iframe contains a document +document.body.appendChild(iframe); +var iframedoc = (iframe.contentDocument || +iframe.contentWindow.document); +// null in IE +if (iframedoc.body === null) { +iframedoc.write(""); +} +iframedoc.body.innerHTML = input; + +function make_sanitized_copy(node) { +var new_node; +if (node.nodeType == Node.TEXT_NODE) { +new_node = node.cloneNode(true); +} else if (node.nodeType == Node.ELEMENT_NODE && +tag_whitelist[node.tagName]) { +//remove useless empty tags +if ((node.tagName != "BR") && node.innerHTML.trim() === "") { +return document.createDocumentFragment(); +} + +new_node = iframedoc.createElement(node.tagName); + +for (var i = 0; i < node.attributes.length; i++) { +var attr = node.attributes[i]; +
[tryton-commits] changeset in sao:5.4 Add tag 5.4.10 [skip ci]
changeset 70e5cf36fb5d in sao:5.4 details: https://hg.tryton.org/sao?cmd=changeset;node=70e5cf36fb5d description: Add tag 5.4.10 [skip ci] diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 97506c0c3b50 -r 70e5cf36fb5d .hgtags --- a/.hgtags Mon Jun 29 18:05:57 2020 +0200 +++ b/.hgtags Mon Jun 29 18:05:57 2020 +0200 @@ -16,3 +16,4 @@ 6d350cbb98a5c0da216ed1448a9d39882739f5f0 5.4.7 12b9edf2ce60d1db4283a8c61a946948ed29b0c6 5.4.8 17b2271bba6ff583b369a08c7ce2cdeeb57451d0 5.4.9 +97506c0c3b50aa1a27d3ae732c564b46097a774a 5.4.10
[tryton-commits] changeset in sao:5.6 Increase version number
changeset 9692165a0478 in sao:5.6 details: https://hg.tryton.org/sao?cmd=changeset;node=9692165a0478 description: Increase version number diffstat: package.json | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r a7a019c7d39b -r 9692165a0478 package.json --- a/package.json Mon Jun 29 18:05:28 2020 +0200 +++ b/package.json Mon Jun 29 18:05:38 2020 +0200 @@ -2,7 +2,7 @@ "name": "tryton-sao", "title": "sao", "description": "Tryton webclient", - "version": "5.6.4", + "version": "5.6.5", "homepage": "http://www.tryton.org/;, "author": { "name": "Tryton"
[tryton-commits] changeset in sao:5.0 Increase version number
changeset ad4f804fd8ab in sao:5.0 details: https://hg.tryton.org/sao?cmd=changeset;node=ad4f804fd8ab description: Increase version number diffstat: package.json | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 1c80aecc364c -r ad4f804fd8ab package.json --- a/package.json Mon Jun 29 18:06:51 2020 +0200 +++ b/package.json Mon Jun 29 18:07:10 2020 +0200 @@ -2,7 +2,7 @@ "name": "tryton-sao", "title": "sao", "description": "Tryton webclient", - "version": "5.0.26", + "version": "5.0.27", "homepage": "http://www.tryton.org/;, "author": { "name": "Tryton"
[tryton-commits] changeset in sao:5.4 Increase version number
changeset 25e876149373 in sao:5.4 details: https://hg.tryton.org/sao?cmd=changeset;node=25e876149373 description: Increase version number diffstat: package.json | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 70e5cf36fb5d -r 25e876149373 package.json --- a/package.json Mon Jun 29 18:05:57 2020 +0200 +++ b/package.json Mon Jun 29 18:06:07 2020 +0200 @@ -2,7 +2,7 @@ "name": "tryton-sao", "title": "sao", "description": "Tryton webclient", - "version": "5.4.10", + "version": "5.4.11", "homepage": "http://www.tryton.org/;, "author": { "name": "Tryton"
[tryton-commits] changeset in sao:5.0 Add tag 5.0.26 [skip ci]
changeset 1c80aecc364c in sao:5.0 details: https://hg.tryton.org/sao?cmd=changeset;node=1c80aecc364c description: Add tag 5.0.26 [skip ci] diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 39c9b6f84551 -r 1c80aecc364c .hgtags --- a/.hgtags Mon Jun 29 18:06:51 2020 +0200 +++ b/.hgtags Mon Jun 29 18:06:51 2020 +0200 @@ -30,3 +30,4 @@ 0cf45fdaf8ef012b5a996491c7c26e2ce093ebbc 5.0.23 88d288d15ae9c11ff5b453495aae0f80e636a663 5.0.24 9773f7f4e0e644ca23427db3c85269cf6bde8d88 5.0.25 +39c9b6f84551a8e1cb05d1946b571bf325fb8f53 5.0.26
[tryton-commits] changeset in sao:5.2 Increase version number
changeset 5e59a9e42cc7 in sao:5.2 details: https://hg.tryton.org/sao?cmd=changeset;node=5e59a9e42cc7 description: Increase version number diffstat: package.json | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r f475a27aff4f -r 5e59a9e42cc7 package.json --- a/package.json Mon Jun 29 18:06:26 2020 +0200 +++ b/package.json Mon Jun 29 18:06:39 2020 +0200 @@ -2,7 +2,7 @@ "name": "tryton-sao", "title": "sao", "description": "Tryton webclient", - "version": "5.2.18", + "version": "5.2.19", "homepage": "http://www.tryton.org/;, "author": { "name": "Tryton"
[tryton-commits] changeset in sao:5.2 Prepare release 5.2.18 [skip ci]
changeset 1c6f86747ce5 in sao:5.2 details: https://hg.tryton.org/sao?cmd=changeset;node=1c6f86747ce5 description: Prepare release 5.2.18 [skip ci] diffstat: CHANGELOG | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (9 lines): diff -r 8d59d1bf1568 -r 1c6f86747ce5 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 +++ b/CHANGELOG Mon Jun 29 18:06:25 2020 +0200 @@ -1,3 +1,5 @@ +Version 5.2.18 - 2020-06-29 +* Bug fixes (see mercurial logs for details) * Sanitize RichtText fields content (issue9405) * Escape external string (issue9394)
[tryton-commits] changeset in sao:5.6 Add tag 5.6.4 [skip ci]
changeset a7a019c7d39b in sao:5.6 details: https://hg.tryton.org/sao?cmd=changeset;node=a7a019c7d39b description: Add tag 5.6.4 [skip ci] diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 231e8a94d0c0 -r a7a019c7d39b .hgtags --- a/.hgtags Mon Jun 29 18:05:28 2020 +0200 +++ b/.hgtags Mon Jun 29 18:05:28 2020 +0200 @@ -11,3 +11,4 @@ b073190a89ff1af0fd44f9890615a18c4bf10b19 5.6.1 b1894a51a1d36450adae73d283864031d2447900 5.6.2 2bc101e7b842ba2b10244682cd4a75d79e3830b2 5.6.3 +231e8a94d0c0f7303e489e3573e16bb9ab3e1bf9 5.6.4
[tryton-commits] changeset in sao:5.2 Sanitize RichtText fields content
changeset 8d59d1bf1568 in sao:5.2 details: https://hg.tryton.org/sao?cmd=changeset;node=8d59d1bf1568 description: Sanitize RichtText fields content issue9405 review327451002 (grafted from 4e0e93b11cad63c6b25f5230055653edb21a334c) diffstat: CHANGELOG |1 + COPYRIGHT |1 + Gruntfile.js |3 +- src/html_sanitizer.js | 105 ++ src/view/form.js |5 +- tests/sao.js | 19 + 6 files changed, 131 insertions(+), 3 deletions(-) diffs (192 lines): diff -r bb05591968e8 -r 8d59d1bf1568 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 @@ -1,3 +1,4 @@ +* Sanitize RichtText fields content (issue9405) * Escape external string (issue9394) Version 5.2.17 - 2020-06-16 diff -r bb05591968e8 -r 8d59d1bf1568 COPYRIGHT --- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200 +++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200 @@ -2,6 +2,7 @@ Copyright (C) 2012-2020 Cédric Krier. Copyright (C) 2012-2014 Bertrand Chenal. Copyright (C) 2012-2020 B2CK SPRL. +Copyright (C) 2019 Jitbit. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff -r bb05591968e8 -r 8d59d1bf1568 Gruntfile.js --- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200 +++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200 @@ -23,7 +23,8 @@ 'src/wizard.js', 'src/board.js', 'src/bus.js', - 'src/plugins.js' + 'src/plugins.js', + 'src/html_sanitizer.js' ]; // Project configuration. diff -r bb05591968e8 -r 8d59d1bf1568 src/html_sanitizer.js --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200 @@ -0,0 +1,105 @@ +/* +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ + +(function () { +'use strict'; + +var tag_whitelist = { +B: true, +BODY: true, +BR: true, +DIV: true, +FONT: true, +I: true, +U: true, +}; + +var attribute_whitelist = { +align: true, +color: true, +face: true, +size: true, +}; + +Sao.HtmlSanitizer = {}; +Sao.HtmlSanitizer.sanitize = function(input) { +input = input.trim(); +// to save performance and not create iframe +if (input == "") return ""; + +// firefox "bogus node" workaround +if (input == "") return ""; + +var iframe = document.createElement('iframe'); +if (iframe.sandbox === undefined) { +// Browser does not support sandboxed iframes +console.warn("Your browser do not support sandboxed iframes," + +" unable to sanitize HTML."); +return input; +} +iframe.sandbox = 'allow-same-origin'; +iframe.style.display = 'none'; +// necessary so the iframe contains a document +document.body.appendChild(iframe); +var iframedoc = (iframe.contentDocument || +iframe.contentWindow.document); +// null in IE +if (iframedoc.body == null) { +iframedoc.write(""); +} +iframedoc.body.innerHTML = input; + +function make_sanitized_copy(node) { +var new_node; +if (node.nodeType == Node.TEXT_NODE) { +new_node = node.cloneNode(true); +} else if (node.nodeType == Node.ELEMENT_NODE && +tag_whitelist[node.tagName]) { +//remove useless empty tags +if ((node.tagName != "BR") && node.innerHTML.trim() == "") { +return document.createDocumentFragment(); +} + +new_node = iframedoc.createElement(node.tagName); + +for (var i = 0; i < node.attributes.length; i++) { +var attr = node.attributes[i]; +
[tryton-commits] changeset in sao:5.2 Add tag 5.2.18 [skip ci]
changeset f475a27aff4f in sao:5.2 details: https://hg.tryton.org/sao?cmd=changeset;node=f475a27aff4f description: Add tag 5.2.18 [skip ci] diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 1c6f86747ce5 -r f475a27aff4f .hgtags --- a/.hgtags Mon Jun 29 18:06:25 2020 +0200 +++ b/.hgtags Mon Jun 29 18:06:26 2020 +0200 @@ -23,3 +23,4 @@ 64dae366402d60f26a5334e4e7c14333014a7844 5.2.15 dd3052b1e63b52963001f3021b232d0c09acab59 5.2.16 e65e54e30b11e782cb68bf5e68cfc581cfdac1d4 5.2.17 +1c6f86747ce59431fcbd0be4f30f0edcc0ac8b3d 5.2.18
[tryton-commits] changeset in sao:5.6 Prepare release 5.6.4 [skip ci]
changeset 231e8a94d0c0 in sao:5.6 details: https://hg.tryton.org/sao?cmd=changeset;node=231e8a94d0c0 description: Prepare release 5.6.4 [skip ci] diffstat: CHANGELOG | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (9 lines): diff -r bea22c5b2072 -r 231e8a94d0c0 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 +++ b/CHANGELOG Mon Jun 29 18:05:28 2020 +0200 @@ -1,3 +1,5 @@ +Version 5.6.4 - 2020-06-29 +* Bug fixes (see mercurial logs for details) * Sanitize RichtText fields content (issue9405) * Escape external string (issue9394)
[tryton-commits] changeset in sao:5.0 Prepare release 5.0.26 [skip ci]
changeset 39c9b6f84551 in sao:5.0 details: https://hg.tryton.org/sao?cmd=changeset;node=39c9b6f84551 description: Prepare release 5.0.26 [skip ci] diffstat: CHANGELOG | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (9 lines): diff -r 72fd59da9505 -r 39c9b6f84551 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 +++ b/CHANGELOG Mon Jun 29 18:06:51 2020 +0200 @@ -1,3 +1,5 @@ +Version 5.0.26 - 2020-06-29 +* Bug fixes (see mercurial logs for details) * Sanitize RichtText fields content (issue9405) * Escape external string (issue9394)
[tryton-commits] changeset in sao:5.6 Escape external strings
changeset 6d7c2dbd02a4 in sao:5.6 details: https://hg.tryton.org/sao?cmd=changeset;node=6d7c2dbd02a4 description: Escape external strings issue9394 review293931002 (grafted from d1858845ab3aebd0788b18c667c58617ee54ad4f) diffstat: CHANGELOG| 2 ++ src/tab.js | 6 +++--- src/view/form.js | 2 +- src/view/tree.js | 8 src/window.js| 16 5 files changed, 18 insertions(+), 16 deletions(-) diffs (160 lines): diff -r c553b983d10a -r 6d7c2dbd02a4 CHANGELOG --- a/CHANGELOG Wed Jun 17 13:51:41 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 @@ -1,3 +1,5 @@ +* Escape external string (issue9394) + Version 5.6.3 - 2020-06-16 * Bug fixes (see mercurial logs for details) diff -r c553b983d10a -r 6d7c2dbd02a4 src/tab.js --- a/src/tab.jsWed Jun 17 13:51:41 2020 +0200 +++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200 @@ -406,7 +406,7 @@ role: 'tabpanel', 'class': 'tab-pane', id: tab.id -}).html(tab.el) +}).append(tab.el) .appendTo(tabcontent); tab_link.tab('show'); tabs.trigger('ready'); @@ -1358,7 +1358,7 @@ }.bind(this)); this.create_tabcontent(); this.set_name(this.name); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); }, compare: function(attributes) { if (!attributes) { @@ -1398,7 +1398,7 @@ this.set_name(wizard.name); wizard.tab = this; this.create_tabcontent(); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); this.el.append(wizard.form); }, create_toolbar: function() { diff -r c553b983d10a -r 6d7c2dbd02a4 src/view/form.js --- a/src/view/form.js Wed Jun 17 13:51:41 2020 +0200 +++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200 @@ -780,7 +780,7 @@ .append(img) .text(text)) .appendTo(this.nav); -pane.html(tab).appendTo(this.panes); +pane.append(tab).appendTo(this.panes); if (!this.selected) { // Can not use .tab('show') page.addClass('active'); diff -r c553b983d10a -r 6d7c2dbd02a4 src/view/tree.js --- a/src/view/tree.js Wed Jun 17 13:51:41 2020 +0200 +++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200 @@ -1336,7 +1336,7 @@ if (item.length) { prefix.render(this.record, item); } else { -prefix_el.html(prefix.render(this.record)); + prefix_el.empty().append(prefix.render(this.record)); } } } @@ -1345,7 +1345,7 @@ if (item.length) { column.render(this.record, item); } else { -widget.html(column.render(this.record)); +widget.empty().append(column.render(this.record)); } if (column.suffixes) { for (var k = 0; k < column.suffixes.length; k++) { @@ -1355,7 +1355,7 @@ if (item.length) { suffix.render(this.record, item); } else { -suffix_el.html(suffix.render(this.record)); + suffix_el.empty().append(suffix.render(this.record)); } } } @@ -1692,7 +1692,7 @@ this.tree.columns.forEach(function(col, idx) { var td = this._get_column_td(idx); var static_el = this.get_static_el(td); -static_el.html(col.render(this.record)).show(); +static_el.empty().append(col.render(this.record)).show(); this.get_editable_el(td) .empty() .data('widget', null) diff -r c553b983d10a -r 6d7c2dbd02a4 src/window.js --- a/src/window.js Wed Jun 17 13:51:41 2020 +0200 +++ b/src/window.js Mon Jun 29 17:29:45 2020 +0200 @@ -1092,7 +1092,7 @@ for(var i=0; i', { 'val': this.encodings[i] -}).html(this.encodings[i]).appendTo(this.el_csv_encoding); +}).append(this.encodings[i]).appendTo(this.el_csv_encoding); } var enc = 'utf-8'; @@ -1194,7 +1194,7 @@ var field = el_field.attr('field'); var node = jQuery('', { 'field': field, -}).html(el_field.attr('name')).click(function(e) { +}).text(el_field.attr('name')).click(function(e) { if (e.ctrlKey) {
[tryton-commits] changeset in sao:5.4 Sanitize RichtText fields content
changeset ce5339fc07c1 in sao:5.4 details: https://hg.tryton.org/sao?cmd=changeset;node=ce5339fc07c1 description: Sanitize RichtText fields content issue9405 review327451002 (grafted from 4e0e93b11cad63c6b25f5230055653edb21a334c) diffstat: CHANGELOG |1 + COPYRIGHT |1 + Gruntfile.js |3 +- src/html_sanitizer.js | 105 ++ src/view/form.js |5 +- tests/sao.js | 19 + 6 files changed, 131 insertions(+), 3 deletions(-) diffs (192 lines): diff -r 9997dcd8f948 -r ce5339fc07c1 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 @@ -1,3 +1,4 @@ +* Sanitize RichtText fields content (issue9405) * Escape external string (issue9394) Version 5.4.9 - 2020-06-16 diff -r 9997dcd8f948 -r ce5339fc07c1 COPYRIGHT --- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200 +++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200 @@ -2,6 +2,7 @@ Copyright (C) 2012-2020 Cédric Krier. Copyright (C) 2012-2014 Bertrand Chenal. Copyright (C) 2012-2020 B2CK SPRL. +Copyright (C) 2019 Jitbit. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff -r 9997dcd8f948 -r ce5339fc07c1 Gruntfile.js --- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200 +++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200 @@ -23,7 +23,8 @@ 'src/wizard.js', 'src/board.js', 'src/bus.js', - 'src/plugins.js' + 'src/plugins.js', + 'src/html_sanitizer.js' ]; // Project configuration. diff -r 9997dcd8f948 -r ce5339fc07c1 src/html_sanitizer.js --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200 @@ -0,0 +1,105 @@ +/* +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ + +(function () { +'use strict'; + +var tag_whitelist = { +B: true, +BODY: true, +BR: true, +DIV: true, +FONT: true, +I: true, +U: true, +}; + +var attribute_whitelist = { +align: true, +color: true, +face: true, +size: true, +}; + +Sao.HtmlSanitizer = {}; +Sao.HtmlSanitizer.sanitize = function(input) { +input = input.trim(); +// to save performance and not create iframe +if (input == "") return ""; + +// firefox "bogus node" workaround +if (input == "") return ""; + +var iframe = document.createElement('iframe'); +if (iframe.sandbox === undefined) { +// Browser does not support sandboxed iframes +console.warn("Your browser do not support sandboxed iframes," + +" unable to sanitize HTML."); +return input; +} +iframe.sandbox = 'allow-same-origin'; +iframe.style.display = 'none'; +// necessary so the iframe contains a document +document.body.appendChild(iframe); +var iframedoc = (iframe.contentDocument || +iframe.contentWindow.document); +// null in IE +if (iframedoc.body == null) { +iframedoc.write(""); +} +iframedoc.body.innerHTML = input; + +function make_sanitized_copy(node) { +var new_node; +if (node.nodeType == Node.TEXT_NODE) { +new_node = node.cloneNode(true); +} else if (node.nodeType == Node.ELEMENT_NODE && +tag_whitelist[node.tagName]) { +//remove useless empty tags +if ((node.tagName != "BR") && node.innerHTML.trim() == "") { +return document.createDocumentFragment(); +} + +new_node = iframedoc.createElement(node.tagName); + +for (var i = 0; i < node.attributes.length; i++) { +var attr = node.attributes[i]; +
[tryton-commits] changeset in sao:5.0 Escape external strings
changeset 19a307dc7455 in sao:5.0 details: https://hg.tryton.org/sao?cmd=changeset;node=19a307dc7455 description: Escape external strings issue9394 review293931002 (grafted from d1858845ab3aebd0788b18c667c58617ee54ad4f) diffstat: CHANGELOG| 2 ++ src/tab.js | 6 +++--- src/view/form.js | 2 +- src/view/tree.js | 7 --- src/window.js| 12 ++-- 5 files changed, 16 insertions(+), 13 deletions(-) diffs (146 lines): diff -r 1a8595d04dbe -r 19a307dc7455 CHANGELOG --- a/CHANGELOG Tue Jun 16 19:15:14 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 @@ -1,3 +1,5 @@ +* Escape external string (issue9394) + Version 5.0.25 - 2020-06-16 * Bug fixes (see mercurial logs for details) diff -r 1a8595d04dbe -r 19a307dc7455 src/tab.js --- a/src/tab.jsTue Jun 16 19:15:14 2020 +0200 +++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200 @@ -449,7 +449,7 @@ role: 'tabpanel', 'class': 'tab-pane', id: tab.id -}).html(tab.el) +}).append(tab.el) .appendTo(tabcontent); tab_link.tab('show'); tabs.trigger('ready'); @@ -1182,7 +1182,7 @@ }.bind(this)); this.create_tabcontent(); this.set_name(this.name); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); }, compare: function(attributes) { if (!attributes) { @@ -1222,7 +1222,7 @@ this.set_name(wizard.name); wizard.tab = this; this.create_tabcontent(); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); this.el.append(wizard.form); }, create_toolbar: function() { diff -r 1a8595d04dbe -r 19a307dc7455 src/view/form.js --- a/src/view/form.js Tue Jun 16 19:15:14 2020 +0200 +++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200 @@ -798,7 +798,7 @@ .append(img) .text(text)) .appendTo(this.nav); -pane.html(tab).appendTo(this.panes); +pane.append(tab).appendTo(this.panes); if (!this.selected) { // Can not use .tab('show') page.addClass('active'); diff -r 1a8595d04dbe -r 19a307dc7455 src/view/tree.js --- a/src/view/tree.js Tue Jun 16 19:15:14 2020 +0200 +++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200 @@ -996,6 +996,7 @@ prefix.render(this.record, cell); } else { prefix_el.html(prefix.render(this.record)); + prefix_el.empty().append(prefix.render(this.record)); } } } @@ -1004,7 +1005,7 @@ if (cell.length) { column.render(this.record, cell); } else { -widget.html(column.render(this.record)); +widget.empty().append(column.render(this.record)); } if (column.suffixes) { for (var k = 0; k < column.suffixes.length; k++) { @@ -1014,7 +1015,7 @@ if (cell.length) { suffix.render(this.record, cell); } else { -suffix_el.html(suffix.render(this.record)); + suffix_el.empty().append(suffix.render(this.record)); } } } @@ -1302,7 +1303,7 @@ this.tree.columns.forEach(function(col, idx) { var td = this._get_column_td(idx); var static_el = this.get_static_el(td); -static_el.html(col.render(this.record)).show(); +static_el.empty().append(col.render(this.record)).show(); this.get_editable_el(td) .empty() .data('widget', null) diff -r 1a8595d04dbe -r 19a307dc7455 src/window.js --- a/src/window.js Tue Jun 16 19:15:14 2020 +0200 +++ b/src/window.js Mon Jun 29 17:29:45 2020 +0200 @@ -1065,7 +1065,7 @@ for(var i=0; i', { 'val': this.encodings[i] -}).html(this.encodings[i]).appendTo(this.el_csv_encoding); +}).append(this.encodings[i]).appendTo(this.el_csv_encoding); } var enc = 'utf-8'; @@ -1171,7 +1171,7 @@ var field = el_field.attr('field'); var node = jQuery('', { 'field': field, -}).html(el_field.attr('name')).click(function(e) { +}).text(el_field.attr('name')).click(function(e) { if (e.ctrlKey) { node.toggleClass('bg-primary'); } else { @@ -1195,7 +1195,7 @@ var node = jQuery('', {
[tryton-commits] changeset in sao:default Sanitize RichtText fields content
changeset 4e0e93b11cad in sao:default details: https://hg.tryton.org/sao?cmd=changeset;node=4e0e93b11cad description: Sanitize RichtText fields content issue9405 review327451002 diffstat: CHANGELOG |1 + COPYRIGHT |1 + Gruntfile.js |3 +- src/html_sanitizer.js | 105 ++ src/view/form.js |5 +- tests/sao.js | 19 + 6 files changed, 131 insertions(+), 3 deletions(-) diffs (192 lines): diff -r d1858845ab3a -r 4e0e93b11cad CHANGELOG --- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 @@ -1,3 +1,4 @@ +* Sanitize RichtText fields content (issue9405) * Escape external string (issue9394) * Keep context in sessionStorage * Use existing context for get_preferences diff -r d1858845ab3a -r 4e0e93b11cad COPYRIGHT --- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200 +++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200 @@ -2,6 +2,7 @@ Copyright (C) 2012-2020 Cédric Krier. Copyright (C) 2012-2014 Bertrand Chenal. Copyright (C) 2012-2020 B2CK SPRL. +Copyright (C) 2019 Jitbit. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff -r d1858845ab3a -r 4e0e93b11cad Gruntfile.js --- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200 +++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200 @@ -23,7 +23,8 @@ 'src/wizard.js', 'src/board.js', 'src/bus.js', - 'src/plugins.js' + 'src/plugins.js', + 'src/html_sanitizer.js' ]; // Project configuration. diff -r d1858845ab3a -r 4e0e93b11cad src/html_sanitizer.js --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200 @@ -0,0 +1,105 @@ +/* +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ + +(function () { +'use strict'; + +var tag_whitelist = { +B: true, +BODY: true, +BR: true, +DIV: true, +FONT: true, +I: true, +U: true, +}; + +var attribute_whitelist = { +align: true, +color: true, +face: true, +size: true, +}; + +Sao.HtmlSanitizer = {}; +Sao.HtmlSanitizer.sanitize = function(input) { +input = input.trim(); +// to save performance and not create iframe +if (input == "") return ""; + +// firefox "bogus node" workaround +if (input == "") return ""; + +var iframe = document.createElement('iframe'); +if (iframe.sandbox === undefined) { +// Browser does not support sandboxed iframes +console.warn("Your browser do not support sandboxed iframes," + +" unable to sanitize HTML."); +return input; +} +iframe.sandbox = 'allow-same-origin'; +iframe.style.display = 'none'; +// necessary so the iframe contains a document +document.body.appendChild(iframe); +var iframedoc = (iframe.contentDocument || +iframe.contentWindow.document); +// null in IE +if (iframedoc.body == null) { +iframedoc.write(""); +} +iframedoc.body.innerHTML = input; + +function make_sanitized_copy(node) { +var new_node; +if (node.nodeType == Node.TEXT_NODE) { +new_node = node.cloneNode(true); +} else if (node.nodeType == Node.ELEMENT_NODE && +tag_whitelist[node.tagName]) { +//remove useless empty tags +if ((node.tagName != "BR") && node.innerHTML.trim() == "") { +return document.createDocumentFragment(); +} + +new_node = iframedoc.createElement(node.tagName); + +for (var i = 0; i < node.attributes.length; i++) { +var attr = node.attributes[i]; +if
[tryton-commits] changeset in sao:5.4 Escape external strings
changeset 9997dcd8f948 in sao:5.4 details: https://hg.tryton.org/sao?cmd=changeset;node=9997dcd8f948 description: Escape external strings issue9394 review293931002 (grafted from d1858845ab3aebd0788b18c667c58617ee54ad4f) diffstat: CHANGELOG| 2 ++ src/tab.js | 6 +++--- src/view/form.js | 2 +- src/view/tree.js | 8 src/window.js| 12 ++-- 5 files changed, 16 insertions(+), 14 deletions(-) diffs (147 lines): diff -r bbf704614f1b -r 9997dcd8f948 CHANGELOG --- a/CHANGELOG Tue Jun 16 19:13:56 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 @@ -1,3 +1,5 @@ +* Escape external string (issue9394) + Version 5.4.9 - 2020-06-16 * Bug fixes (see mercurial logs for details) diff -r bbf704614f1b -r 9997dcd8f948 src/tab.js --- a/src/tab.jsTue Jun 16 19:13:56 2020 +0200 +++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200 @@ -406,7 +406,7 @@ role: 'tabpanel', 'class': 'tab-pane', id: tab.id -}).html(tab.el) +}).append(tab.el) .appendTo(tabcontent); tab_link.tab('show'); tabs.trigger('ready'); @@ -1361,7 +1361,7 @@ }.bind(this)); this.create_tabcontent(); this.set_name(this.name); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); }, compare: function(attributes) { if (!attributes) { @@ -1401,7 +1401,7 @@ this.set_name(wizard.name); wizard.tab = this; this.create_tabcontent(); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); this.el.append(wizard.form); }, create_toolbar: function() { diff -r bbf704614f1b -r 9997dcd8f948 src/view/form.js --- a/src/view/form.js Tue Jun 16 19:13:56 2020 +0200 +++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200 @@ -755,7 +755,7 @@ .append(img) .text(text)) .appendTo(this.nav); -pane.html(tab).appendTo(this.panes); +pane.append(tab).appendTo(this.panes); if (!this.selected) { // Can not use .tab('show') page.addClass('active'); diff -r bbf704614f1b -r 9997dcd8f948 src/view/tree.js --- a/src/view/tree.js Tue Jun 16 19:13:56 2020 +0200 +++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200 @@ -1279,7 +1279,7 @@ if (item.length) { prefix.render(this.record, item); } else { -prefix_el.html(prefix.render(this.record)); + prefix_el.empty().append(prefix.render(this.record)); } } } @@ -1288,7 +1288,7 @@ if (item.length) { column.render(this.record, item); } else { -widget.html(column.render(this.record)); +widget.empty().append(column.render(this.record)); } if (column.suffixes) { for (var k = 0; k < column.suffixes.length; k++) { @@ -1298,7 +1298,7 @@ if (item.length) { suffix.render(this.record, item); } else { -suffix_el.html(suffix.render(this.record)); + suffix_el.empty().append(suffix.render(this.record)); } } } @@ -1635,7 +1635,7 @@ this.tree.columns.forEach(function(col, idx) { var td = this._get_column_td(idx); var static_el = this.get_static_el(td); -static_el.html(col.render(this.record)).show(); +static_el.empty().append(col.render(this.record)).show(); this.get_editable_el(td) .empty() .data('widget', null) diff -r bbf704614f1b -r 9997dcd8f948 src/window.js --- a/src/window.js Tue Jun 16 19:13:56 2020 +0200 +++ b/src/window.js Mon Jun 29 17:29:45 2020 +0200 @@ -1094,7 +1094,7 @@ for(var i=0; i', { 'val': this.encodings[i] -}).html(this.encodings[i]).appendTo(this.el_csv_encoding); +}).append(this.encodings[i]).appendTo(this.el_csv_encoding); } var enc = 'utf-8'; @@ -1196,7 +1196,7 @@ var field = el_field.attr('field'); var node = jQuery('', { 'field': field, -}).html(el_field.attr('name')).click(function(e) { +}).text(el_field.attr('name')).click(function(e) { if (e.ctrlKey) {
[tryton-commits] changeset in sao:5.6 Sanitize RichtText fields content
changeset bea22c5b2072 in sao:5.6 details: https://hg.tryton.org/sao?cmd=changeset;node=bea22c5b2072 description: Sanitize RichtText fields content issue9405 review327451002 (grafted from 4e0e93b11cad63c6b25f5230055653edb21a334c) diffstat: CHANGELOG |1 + COPYRIGHT |1 + Gruntfile.js |3 +- src/html_sanitizer.js | 105 ++ src/view/form.js |5 +- tests/sao.js | 19 + 6 files changed, 131 insertions(+), 3 deletions(-) diffs (192 lines): diff -r 6d7c2dbd02a4 -r bea22c5b2072 CHANGELOG --- a/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:33:06 2020 +0200 @@ -1,3 +1,4 @@ +* Sanitize RichtText fields content (issue9405) * Escape external string (issue9394) Version 5.6.3 - 2020-06-16 diff -r 6d7c2dbd02a4 -r bea22c5b2072 COPYRIGHT --- a/COPYRIGHT Mon Jun 29 17:29:45 2020 +0200 +++ b/COPYRIGHT Mon Jun 29 17:33:06 2020 +0200 @@ -2,6 +2,7 @@ Copyright (C) 2012-2020 Cédric Krier. Copyright (C) 2012-2014 Bertrand Chenal. Copyright (C) 2012-2020 B2CK SPRL. +Copyright (C) 2019 Jitbit. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff -r 6d7c2dbd02a4 -r bea22c5b2072 Gruntfile.js --- a/Gruntfile.js Mon Jun 29 17:29:45 2020 +0200 +++ b/Gruntfile.js Mon Jun 29 17:33:06 2020 +0200 @@ -23,7 +23,8 @@ 'src/wizard.js', 'src/board.js', 'src/bus.js', - 'src/plugins.js' + 'src/plugins.js', + 'src/html_sanitizer.js' ]; // Project configuration. diff -r 6d7c2dbd02a4 -r bea22c5b2072 src/html_sanitizer.js --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/src/html_sanitizer.js Mon Jun 29 17:33:06 2020 +0200 @@ -0,0 +1,105 @@ +/* +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ + +(function () { +'use strict'; + +var tag_whitelist = { +B: true, +BODY: true, +BR: true, +DIV: true, +FONT: true, +I: true, +U: true, +}; + +var attribute_whitelist = { +align: true, +color: true, +face: true, +size: true, +}; + +Sao.HtmlSanitizer = {}; +Sao.HtmlSanitizer.sanitize = function(input) { +input = input.trim(); +// to save performance and not create iframe +if (input == "") return ""; + +// firefox "bogus node" workaround +if (input == "") return ""; + +var iframe = document.createElement('iframe'); +if (iframe.sandbox === undefined) { +// Browser does not support sandboxed iframes +console.warn("Your browser do not support sandboxed iframes," + +" unable to sanitize HTML."); +return input; +} +iframe.sandbox = 'allow-same-origin'; +iframe.style.display = 'none'; +// necessary so the iframe contains a document +document.body.appendChild(iframe); +var iframedoc = (iframe.contentDocument || +iframe.contentWindow.document); +// null in IE +if (iframedoc.body == null) { +iframedoc.write(""); +} +iframedoc.body.innerHTML = input; + +function make_sanitized_copy(node) { +var new_node; +if (node.nodeType == Node.TEXT_NODE) { +new_node = node.cloneNode(true); +} else if (node.nodeType == Node.ELEMENT_NODE && +tag_whitelist[node.tagName]) { +//remove useless empty tags +if ((node.tagName != "BR") && node.innerHTML.trim() == "") { +return document.createDocumentFragment(); +} + +new_node = iframedoc.createElement(node.tagName); + +for (var i = 0; i < node.attributes.length; i++) { +var attr = node.attributes[i]; +
[tryton-commits] changeset in sao:5.2 Escape external strings
changeset bb05591968e8 in sao:5.2 details: https://hg.tryton.org/sao?cmd=changeset;node=bb05591968e8 description: Escape external strings issue9394 review293931002 (grafted from d1858845ab3aebd0788b18c667c58617ee54ad4f) diffstat: CHANGELOG| 2 ++ src/tab.js | 6 +++--- src/view/form.js | 2 +- src/view/tree.js | 7 --- src/window.js| 12 ++-- 5 files changed, 16 insertions(+), 13 deletions(-) diffs (146 lines): diff -r 9f7eff972320 -r bb05591968e8 CHANGELOG --- a/CHANGELOG Tue Jun 16 19:14:46 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 @@ -1,3 +1,5 @@ +* Escape external string (issue9394) + Version 5.2.17 - 2020-06-16 * Bug fixes (see mercurial logs for details) diff -r 9f7eff972320 -r bb05591968e8 src/tab.js --- a/src/tab.jsTue Jun 16 19:14:46 2020 +0200 +++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200 @@ -404,7 +404,7 @@ role: 'tabpanel', 'class': 'tab-pane', id: tab.id -}).html(tab.el) +}).append(tab.el) .appendTo(tabcontent); tab_link.tab('show'); tabs.trigger('ready'); @@ -1356,7 +1356,7 @@ }.bind(this)); this.create_tabcontent(); this.set_name(this.name); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); }, compare: function(attributes) { if (!attributes) { @@ -1396,7 +1396,7 @@ this.set_name(wizard.name); wizard.tab = this; this.create_tabcontent(); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); this.el.append(wizard.form); }, create_toolbar: function() { diff -r 9f7eff972320 -r bb05591968e8 src/view/form.js --- a/src/view/form.js Tue Jun 16 19:14:46 2020 +0200 +++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200 @@ -730,7 +730,7 @@ .append(img) .text(text)) .appendTo(this.nav); -pane.html(tab).appendTo(this.panes); +pane.append(tab).appendTo(this.panes); if (!this.selected) { // Can not use .tab('show') page.addClass('active'); diff -r 9f7eff972320 -r bb05591968e8 src/view/tree.js --- a/src/view/tree.js Tue Jun 16 19:14:46 2020 +0200 +++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200 @@ -1004,6 +1004,7 @@ if (cell.length) { prefix.render(this.record, cell); } else { + prefix_el.empty().append(prefix.render(this.record)); prefix_el.html(prefix.render(this.record)); } } @@ -1013,7 +1014,7 @@ if (cell.length) { column.render(this.record, cell); } else { -widget.html(column.render(this.record)); +widget.empty().append(column.render(this.record)); } if (column.suffixes) { for (var k = 0; k < column.suffixes.length; k++) { @@ -1023,7 +1024,7 @@ if (cell.length) { suffix.render(this.record, cell); } else { -suffix_el.html(suffix.render(this.record)); + suffix_el.empty().append(suffix.render(this.record)); } } } @@ -1327,7 +1328,7 @@ this.tree.columns.forEach(function(col, idx) { var td = this._get_column_td(idx); var static_el = this.get_static_el(td); -static_el.html(col.render(this.record)).show(); +static_el.empty().append(col.render(this.record)).show(); this.get_editable_el(td) .empty() .data('widget', null) diff -r 9f7eff972320 -r bb05591968e8 src/window.js --- a/src/window.js Tue Jun 16 19:14:46 2020 +0200 +++ b/src/window.js Mon Jun 29 17:29:45 2020 +0200 @@ -1100,7 +1100,7 @@ for(var i=0; i', { 'val': this.encodings[i] -}).html(this.encodings[i]).appendTo(this.el_csv_encoding); +}).append(this.encodings[i]).appendTo(this.el_csv_encoding); } var enc = 'utf-8'; @@ -1204,7 +1204,7 @@ var field = el_field.attr('field'); var node = jQuery('', { 'field': field, -}).html(el_field.attr('name')).click(function(e) { +}).text(el_field.attr('name')).click(function(e) { if (e.ctrlKey) { node.toggleClass('bg-primary'); } else { @@ -1228,7 +1228,7 @@ var node =
[tryton-commits] changeset in sao:default Escape external strings
changeset d1858845ab3a in sao:default details: https://hg.tryton.org/sao?cmd=changeset;node=d1858845ab3a description: Escape external strings issue9394 review293931002 diffstat: CHANGELOG| 1 + src/board.js | 4 ++-- src/tab.js | 6 +++--- src/view/form.js | 2 +- src/view/tree.js | 8 src/window.js| 16 6 files changed, 19 insertions(+), 18 deletions(-) diffs (174 lines): diff -r e2b40d5d11b2 -r d1858845ab3a CHANGELOG --- a/CHANGELOG Fri Jun 19 00:20:27 2020 +0200 +++ b/CHANGELOG Mon Jun 29 17:29:45 2020 +0200 @@ -1,3 +1,4 @@ +* Escape external string (issue9394) * Keep context in sessionStorage * Use existing context for get_preferences * Escape external strings (issue9351) diff -r e2b40d5d11b2 -r d1858845ab3a src/board.js --- a/src/board.js Fri Jun 19 00:20:27 2020 +0200 +++ b/src/board.js Mon Jun 29 17:29:45 2020 +0200 @@ -137,9 +137,9 @@ params); if (attributes.string) { -this.title.html(attributes.string); +this.title.text(attributes.string); } else { -this.title.html(this.action.name); +this.title.text(this.action.name); } this.screen.switch_view().done(function() { this.body.append(this.screen.screen_container.el); diff -r e2b40d5d11b2 -r d1858845ab3a src/tab.js --- a/src/tab.jsFri Jun 19 00:20:27 2020 +0200 +++ b/src/tab.jsMon Jun 29 17:29:45 2020 +0200 @@ -406,7 +406,7 @@ role: 'tabpanel', 'class': 'tab-pane', id: tab.id -}).html(tab.el) +}).append(tab.el) .appendTo(tabcontent); tab_link.tab('show'); tabs.trigger('ready'); @@ -1358,7 +1358,7 @@ }.bind(this)); this.create_tabcontent(); this.set_name(this.name); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); }, compare: function(attributes) { if (!attributes) { @@ -1398,7 +1398,7 @@ this.set_name(wizard.name); wizard.tab = this; this.create_tabcontent(); -this.title.html(this.name_el.text()); +this.title.text(this.name_el.text()); this.el.append(wizard.form); }, create_toolbar: function() { diff -r e2b40d5d11b2 -r d1858845ab3a src/view/form.js --- a/src/view/form.js Fri Jun 19 00:20:27 2020 +0200 +++ b/src/view/form.js Mon Jun 29 17:29:45 2020 +0200 @@ -780,7 +780,7 @@ .append(img) .text(text)) .appendTo(this.nav); -pane.html(tab).appendTo(this.panes); +pane.append(tab).appendTo(this.panes); if (!this.selected) { // Can not use .tab('show') page.addClass('active'); diff -r e2b40d5d11b2 -r d1858845ab3a src/view/tree.js --- a/src/view/tree.js Fri Jun 19 00:20:27 2020 +0200 +++ b/src/view/tree.js Mon Jun 29 17:29:45 2020 +0200 @@ -1337,7 +1337,7 @@ if (item.length) { prefix.render(this.record, item); } else { -prefix_el.html(prefix.render(this.record)); + prefix_el.empty().append(prefix.render(this.record)); } } } @@ -1346,7 +1346,7 @@ if (item.length) { column.render(this.record, item); } else { -widget.html(column.render(this.record)); +widget.empty().append(column.render(this.record)); } if (column.suffixes) { for (var k = 0; k < column.suffixes.length; k++) { @@ -1356,7 +1356,7 @@ if (item.length) { suffix.render(this.record, item); } else { -suffix_el.html(suffix.render(this.record)); + suffix_el.empty().append(suffix.render(this.record)); } } } @@ -1693,7 +1693,7 @@ this.tree.columns.forEach(function(col, idx) { var td = this._get_column_td(idx); var static_el = this.get_static_el(td); -static_el.html(col.render(this.record)).show(); +static_el.empty().append(col.render(this.record)).show(); this.get_editable_el(td) .empty() .data('widget', null) diff -r e2b40d5d11b2 -r d1858845ab3a src/window.js --- a/src/window.js Fri Jun 19 00:20:27 2020 +0200 +++