diff --git a/media/scripts/app/views/dir.js b/media/scripts/app/views/dir.js
index 8f3025a4ff..35f427ad57 100644
--- a/media/scripts/app/views/dir.js
+++ b/media/scripts/app/views/dir.js
@@ -423,7 +423,7 @@ define([
} else {
msg_s = gettext("Successfully deleted %(name)s and %(amount)s other items.");
}
- msg_s = msg_s.replace('%(name)s', data['deleted'][0]).replace('%(amount)s', del_len - 1);
+ msg_s = msg_s.replace('%(name)s', Common.HTMLescape(data['deleted'][0])).replace('%(amount)s', del_len - 1);
Common.feedback(msg_s, 'success');
}
if (not_del_len > 0) {
@@ -434,7 +434,7 @@ define([
} else {
msg_f = gettext("Internal error. Failed to delete %(name)s and %(amount)s other items.");
}
- msg_f = msg_f.replace('%(name)s', data['undeleted'][0]).replace('%(amount)s', not_del_len - 1);
+ msg_f = msg_f.replace('%(name)s', Common.HTMLescape(data['undeleted'][0])).replace('%(amount)s', not_del_len - 1);
Common.feedback(msg_f, 'error');
}
$.modal.close();
@@ -569,7 +569,7 @@ define([
}
}
- msg_s = msg_s.replace('%(name)s', data['success'][0]).replace('%(amount)s', success_len - 1);
+ msg_s = msg_s.replace('%(name)s', Common.HTMLescape(data['success'][0])).replace('%(amount)s', success_len - 1);
//msg_s += ' ' + "View" + '';
Common.feedback(msg_s, 'success');
}
@@ -588,7 +588,7 @@ define([
msg_f = gettext("Internal error. Failed to copy %(name)s.");
}
}
- msg_f = msg_f.replace('%(name)s', data['failed'][0]).replace('%(amount)s', data['failed'].length - 1);
+ msg_f = msg_f.replace('%(name)s', Common.HTMLescape(data['failed'][0])).replace('%(amount)s', data['failed'].length - 1);
Common.feedback(msg_f, 'error');
}
},
@@ -648,7 +648,7 @@ define([
} else { // failed or canceled
if (data['failed']) {
var error_msg = op == 'mv' ? gettext('Failed to move %(name)s') : gettext('Failed to copy %(name)s');
- cancel_btn.after('' + error_msg.replace('%(name)s', obj_name) + '
');
+ cancel_btn.after('' + error_msg.replace('%(name)s', Common.HTMLescape(obj_name)) + '
');
end();
}
}
diff --git a/media/scripts/app/views/dirent.js b/media/scripts/app/views/dirent.js
index 06ec88d679..2082b28d55 100644
--- a/media/scripts/app/views/dirent.js
+++ b/media/scripts/app/views/dirent.js
@@ -196,7 +196,7 @@ define([
el.remove();
app.globalState.noFileOpPopup = true; // make other items can work normally when hover
var msg = gettext("Successfully deleted %(name)s");
- msg = msg.replace('%(name)s', dirent_name);
+ msg = msg.replace('%(name)s', Common.HTMLescape(dirent_name));
Common.feedback(msg, 'success');
},
error: Common.ajaxErrorHandler
@@ -217,7 +217,7 @@ define([
$('#simplemodal-container').css({'width':'auto', 'height':'auto'});
var op_detail = $('.detail', form);
- op_detail.html(op_detail.html().replace('%(name)s', '' + dirent_name + ''));
+ op_detail.html(op_detail.html().replace('%(name)s', '' + Common.HTMLescape(dirent_name) + ''));
var form_id = form.attr('id');
var _this = this;
@@ -281,14 +281,9 @@ define([
obj_name = this.model.get('obj_name'),
obj_type = this.model.get('is_dir') ? 'dir' : 'file';
- var title;
- if (op_type == 'mv') {
- title = gettext("Move {placeholder} to:")
- .replace('{placeholder}', '' + obj_name + '');
- } else {
- title = gettext("Copy {placeholder} to:")
- .replace('{placeholder}', '' + obj_name + '');
- }
+ var title = op_type == 'mv' ? gettext("Move {placeholder} to:") : gettext("Copy {placeholder} to:");
+ title = title.replace('{placeholder}', '' + Common.HTMLescape(obj_name) + '');
+
var form = $(this.mvcpTemplate({
form_title: title,
op_type: op_type,
@@ -361,7 +356,7 @@ define([
paddingTop: 50
}, focus:false});
var det_text = op == 'mv' ? gettext("Moving %(name)s") : gettext("Copying %(name)s");
- details.html(det_text.replace('%(name)s', obj_name)).removeClass('vh');
+ details.html(det_text.replace('%(name)s', Common.HTMLescape(obj_name))).removeClass('vh');
$('#mv-progress').progressbar();
req_progress();
}, 100);
diff --git a/seahub/templates/js/dirent.html b/seahub/templates/js/dirent.html
index fb966e4bf0..025bf1c17a 100644
--- a/seahub/templates/js/dirent.html
+++ b/seahub/templates/js/dirent.html
@@ -7,9 +7,9 @@
 |
<% if (category) { %>
- <%= dirent.obj_name %>
+ <%- dirent.obj_name %>
<% } else { %>
- <%= dirent.obj_name %>
+ <%- dirent.obj_name %>
<% } %>
|
|
@@ -62,7 +62,7 @@
<% } %>
- <%= dirent.obj_name %>
+ <%- dirent.obj_name %>
|
<%= dirent.file_size %> |
diff --git a/seahub/templates/js/path-bar.html b/seahub/templates/js/path-bar.html
index b6531169ee..3238e3b862 100644
--- a/seahub/templates/js/path-bar.html
+++ b/seahub/templates/js/path-bar.html
@@ -9,7 +9,7 @@
<% } else { %>
<%- repo_name %> /
<% for (var i = 0,len = path_list.length - 1; i < len; i++) { %>
-<%= path_list[i] %> /
+ <%- path_list[i] %> /
<% } %>
-<% print(path_list[i] + ' /'); %>
+<%- path_list[i] + ' /' %>
<% } %>
diff --git a/seahub/views/ajax.py b/seahub/views/ajax.py
index cab9a70993..3fad725897 100644
--- a/seahub/views/ajax.py
+++ b/seahub/views/ajax.py
@@ -695,7 +695,7 @@ def delete_dirent(request, repo_id):
content_type=content_type)
except SearpcError, e:
logger.error(e)
- err_msg = _(u'Internal error. Failed to delete %s.') % dirent_name
+ err_msg = _(u'Internal error. Failed to delete %s.') % escape(dirent_name)
return HttpResponse(json.dumps({'error': err_msg}),
status=500, content_type=content_type)
@@ -841,7 +841,7 @@ def cp_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
content_type=content_type)
result['success'] = True
- msg = _(u'Successfully copied %(name)s') % {"name":escape(obj_name)}
+ msg = _(u'Successfully copied %(name)s') % {"name": escape(obj_name)}
result['msg'] = msg
if res.background:
@@ -886,7 +886,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
content_type=content_type)
result['success'] = True
- msg = _(u'Successfully moved %(name)s') % {"name":escape(obj_name)}
+ msg = _(u'Successfully moved %(name)s') % {"name": escape(obj_name)}
result['msg'] = msg
if res.background:
result['task_id'] = res.task_id
@@ -929,7 +929,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
content_type=content_type)
result['success'] = True
- msg = _(u'Successfully copied %(name)s') % {"name":escape(obj_name)}
+ msg = _(u'Successfully copied %(name)s') % {"name": escape(obj_name)}
result['msg'] = msg
if res.background:
result['task_id'] = res.task_id
|