From 27aa7e79d3c6e65f1126f9fd167bc12425332b79 Mon Sep 17 00:00:00 2001 From: llj Date: Thu, 19 Mar 2015 15:40:40 +0800 Subject: [PATCH] [lib] added necessary 'escape' Conflicts: seahub/views/ajax.py --- media/scripts/app/views/dir.js | 10 +++++----- media/scripts/app/views/dirent.js | 17 ++++++----------- seahub/templates/js/dirent.html | 6 +++--- seahub/templates/js/path-bar.html | 4 ++-- seahub/views/ajax.py | 8 ++++---- 5 files changed, 20 insertions(+), 25 deletions(-) diff --git a/media/scripts/app/views/dir.js b/media/scripts/app/views/dir.js index 8f3025a4ff..35f427ad57 100644 --- a/media/scripts/app/views/dir.js +++ b/media/scripts/app/views/dir.js @@ -423,7 +423,7 @@ define([ } else { msg_s = gettext("Successfully deleted %(name)s and %(amount)s other items."); } - msg_s = msg_s.replace('%(name)s', data['deleted'][0]).replace('%(amount)s', del_len - 1); + msg_s = msg_s.replace('%(name)s', Common.HTMLescape(data['deleted'][0])).replace('%(amount)s', del_len - 1); Common.feedback(msg_s, 'success'); } if (not_del_len > 0) { @@ -434,7 +434,7 @@ define([ } else { msg_f = gettext("Internal error. Failed to delete %(name)s and %(amount)s other items."); } - msg_f = msg_f.replace('%(name)s', data['undeleted'][0]).replace('%(amount)s', not_del_len - 1); + msg_f = msg_f.replace('%(name)s', Common.HTMLescape(data['undeleted'][0])).replace('%(amount)s', not_del_len - 1); Common.feedback(msg_f, 'error'); } $.modal.close(); @@ -569,7 +569,7 @@ define([ } } - msg_s = msg_s.replace('%(name)s', data['success'][0]).replace('%(amount)s', success_len - 1); + msg_s = msg_s.replace('%(name)s', Common.HTMLescape(data['success'][0])).replace('%(amount)s', success_len - 1); //msg_s += ' ' + "View" + ''; Common.feedback(msg_s, 'success'); } @@ -588,7 +588,7 @@ define([ msg_f = gettext("Internal error. Failed to copy %(name)s."); } } - msg_f = msg_f.replace('%(name)s', data['failed'][0]).replace('%(amount)s', data['failed'].length - 1); + msg_f = msg_f.replace('%(name)s', Common.HTMLescape(data['failed'][0])).replace('%(amount)s', data['failed'].length - 1); Common.feedback(msg_f, 'error'); } }, @@ -648,7 +648,7 @@ define([ } else { // failed or canceled if (data['failed']) { var error_msg = op == 'mv' ? gettext('Failed to move %(name)s') : gettext('Failed to copy %(name)s'); - cancel_btn.after('

' + error_msg.replace('%(name)s', obj_name) + '

'); + cancel_btn.after('

' + error_msg.replace('%(name)s', Common.HTMLescape(obj_name)) + '

'); end(); } } diff --git a/media/scripts/app/views/dirent.js b/media/scripts/app/views/dirent.js index 06ec88d679..2082b28d55 100644 --- a/media/scripts/app/views/dirent.js +++ b/media/scripts/app/views/dirent.js @@ -196,7 +196,7 @@ define([ el.remove(); app.globalState.noFileOpPopup = true; // make other items can work normally when hover var msg = gettext("Successfully deleted %(name)s"); - msg = msg.replace('%(name)s', dirent_name); + msg = msg.replace('%(name)s', Common.HTMLescape(dirent_name)); Common.feedback(msg, 'success'); }, error: Common.ajaxErrorHandler @@ -217,7 +217,7 @@ define([ $('#simplemodal-container').css({'width':'auto', 'height':'auto'}); var op_detail = $('.detail', form); - op_detail.html(op_detail.html().replace('%(name)s', '' + dirent_name + '')); + op_detail.html(op_detail.html().replace('%(name)s', '' + Common.HTMLescape(dirent_name) + '')); var form_id = form.attr('id'); var _this = this; @@ -281,14 +281,9 @@ define([ obj_name = this.model.get('obj_name'), obj_type = this.model.get('is_dir') ? 'dir' : 'file'; - var title; - if (op_type == 'mv') { - title = gettext("Move {placeholder} to:") - .replace('{placeholder}', '' + obj_name + ''); - } else { - title = gettext("Copy {placeholder} to:") - .replace('{placeholder}', '' + obj_name + ''); - } + var title = op_type == 'mv' ? gettext("Move {placeholder} to:") : gettext("Copy {placeholder} to:"); + title = title.replace('{placeholder}', '' + Common.HTMLescape(obj_name) + ''); + var form = $(this.mvcpTemplate({ form_title: title, op_type: op_type, @@ -361,7 +356,7 @@ define([ paddingTop: 50 }, focus:false}); var det_text = op == 'mv' ? gettext("Moving %(name)s") : gettext("Copying %(name)s"); - details.html(det_text.replace('%(name)s', obj_name)).removeClass('vh'); + details.html(det_text.replace('%(name)s', Common.HTMLescape(obj_name))).removeClass('vh'); $('#mv-progress').progressbar(); req_progress(); }, 100); diff --git a/seahub/templates/js/dirent.html b/seahub/templates/js/dirent.html index fb966e4bf0..025bf1c17a 100644 --- a/seahub/templates/js/dirent.html +++ b/seahub/templates/js/dirent.html @@ -7,9 +7,9 @@ {% trans <% if (category) { %> - <%= dirent.obj_name %> + <%- dirent.obj_name %> <% } else { %> - <%= dirent.obj_name %> + <%- dirent.obj_name %> <% } %> @@ -62,7 +62,7 @@ <% } %> - <%= dirent.obj_name %> + <%- dirent.obj_name %> <%= dirent.file_size %> diff --git a/seahub/templates/js/path-bar.html b/seahub/templates/js/path-bar.html index b6531169ee..3238e3b862 100644 --- a/seahub/templates/js/path-bar.html +++ b/seahub/templates/js/path-bar.html @@ -9,7 +9,7 @@ <% } else { %> <%- repo_name %> / <% for (var i = 0,len = path_list.length - 1; i < len; i++) { %> -<%= path_list[i] %> / + <%- path_list[i] %> / <% } %> -<% print(path_list[i] + ' /'); %> +<%- path_list[i] + ' /' %> <% } %> diff --git a/seahub/views/ajax.py b/seahub/views/ajax.py index cab9a70993..3fad725897 100644 --- a/seahub/views/ajax.py +++ b/seahub/views/ajax.py @@ -695,7 +695,7 @@ def delete_dirent(request, repo_id): content_type=content_type) except SearpcError, e: logger.error(e) - err_msg = _(u'Internal error. Failed to delete %s.') % dirent_name + err_msg = _(u'Internal error. Failed to delete %s.') % escape(dirent_name) return HttpResponse(json.dumps({'error': err_msg}), status=500, content_type=content_type) @@ -841,7 +841,7 @@ def cp_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): content_type=content_type) result['success'] = True - msg = _(u'Successfully copied %(name)s') % {"name":escape(obj_name)} + msg = _(u'Successfully copied %(name)s') % {"name": escape(obj_name)} result['msg'] = msg if res.background: @@ -886,7 +886,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): content_type=content_type) result['success'] = True - msg = _(u'Successfully moved %(name)s') % {"name":escape(obj_name)} + msg = _(u'Successfully moved %(name)s') % {"name": escape(obj_name)} result['msg'] = msg if res.background: result['task_id'] = res.task_id @@ -929,7 +929,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username): content_type=content_type) result['success'] = True - msg = _(u'Successfully copied %(name)s') % {"name":escape(obj_name)} + msg = _(u'Successfully copied %(name)s') % {"name": escape(obj_name)} result['msg'] = msg if res.background: result['task_id'] = res.task_id