[lib] added necessary 'escape'

Conflicts: seahub/views/ajax.py
2025-09-23 12:27:48 +00:00 · 2015-03-19 15:40:40 +08:00
parent 5005b78e54
commit 27aa7e79d3
5 changed files with 20 additions and 25 deletions
--- a/media/scripts/app/views/dir.js
+++ b/media/scripts/app/views/dir.js
@@ -423,7 +423,7 @@ define([
                                } else {
                                    msg_s = gettext("Successfully deleted %(name)s and %(amount)s other items.");
                                }
-                                msg_s = msg_s.replace('%(name)s', data['deleted'][0]).replace('%(amount)s', del_len - 1);
+                                msg_s = msg_s.replace('%(name)s', Common.HTMLescape(data['deleted'][0])).replace('%(amount)s', del_len - 1);
                                Common.feedback(msg_s, 'success');
                            }
                            if (not_del_len > 0) {
@@ -434,7 +434,7 @@ define([
                                } else {
                                    msg_f = gettext("Internal error. Failed to delete %(name)s and %(amount)s other items.");
                                }
-                                msg_f = msg_f.replace('%(name)s', data['undeleted'][0]).replace('%(amount)s', not_del_len - 1);
+                                msg_f = msg_f.replace('%(name)s', Common.HTMLescape(data['undeleted'][0])).replace('%(amount)s', not_del_len - 1);
                                Common.feedback(msg_f, 'error');
                            }
                            $.modal.close();
@@ -569,7 +569,7 @@ define([
                                        }
                                    }

-                                    msg_s = msg_s.replace('%(name)s', data['success'][0]).replace('%(amount)s', success_len - 1);
+                                    msg_s = msg_s.replace('%(name)s', Common.HTMLescape(data['success'][0])).replace('%(amount)s', success_len - 1);
                                    //msg_s += ' <a href="' + view_url + '">' + "View" + '</a>';
                                    Common.feedback(msg_s, 'success');
                                }
@@ -588,7 +588,7 @@ define([
                                            msg_f = gettext("Internal error. Failed to copy %(name)s.");
                                        }
                                    }
-                                    msg_f = msg_f.replace('%(name)s', data['failed'][0]).replace('%(amount)s', data['failed'].length - 1);
+                                    msg_f = msg_f.replace('%(name)s', Common.HTMLescape(data['failed'][0])).replace('%(amount)s', data['failed'].length - 1);
                                    Common.feedback(msg_f, 'error');
                                }
                            },
@@ -648,7 +648,7 @@ define([
                                                } else { // failed or canceled
                                                    if (data['failed']) {
                                                        var error_msg = op == 'mv' ? gettext('Failed to move %(name)s') : gettext('Failed to copy %(name)s');
-                                                        cancel_btn.after('<p class="error">' + error_msg.replace('%(name)s', obj_name) + '</p>');
+                                                        cancel_btn.after('<p class="error">' + error_msg.replace('%(name)s', Common.HTMLescape(obj_name)) + '</p>');
                                                        end();
                                                    }
                                                }
--- a/media/scripts/app/views/dirent.js
+++ b/media/scripts/app/views/dirent.js
@@ -196,7 +196,7 @@ define([
                    el.remove();
                    app.globalState.noFileOpPopup = true; // make other items can work normally when hover
                    var msg = gettext("Successfully deleted %(name)s");
-                    msg = msg.replace('%(name)s', dirent_name);
+                    msg = msg.replace('%(name)s', Common.HTMLescape(dirent_name));
                    Common.feedback(msg, 'success');
                },
                error: Common.ajaxErrorHandler
@@ -217,7 +217,7 @@ define([
            $('#simplemodal-container').css({'width':'auto', 'height':'auto'});

            var op_detail = $('.detail', form);
-            op_detail.html(op_detail.html().replace('%(name)s', '<span class="op-target">' + dirent_name + '</span>'));
+            op_detail.html(op_detail.html().replace('%(name)s', '<span class="op-target">' + Common.HTMLescape(dirent_name) + '</span>'));

            var form_id = form.attr('id');
            var _this = this;
@@ -281,14 +281,9 @@ define([
                obj_name = this.model.get('obj_name'),
                obj_type = this.model.get('is_dir') ? 'dir' : 'file';

-            var title;
-            if (op_type == 'mv') {
-                title = gettext("Move {placeholder} to:")
-                    .replace('{placeholder}', '<span class="op-target">' + obj_name + '</span>');
-            } else {
-                title = gettext("Copy {placeholder} to:")
-                    .replace('{placeholder}', '<span class="op-target">' + obj_name + '</span>');
-            }
+            var title = op_type == 'mv' ? gettext("Move {placeholder} to:") : gettext("Copy {placeholder} to:");
+            title = title.replace('{placeholder}', '<span class="op-target">' + Common.HTMLescape(obj_name) + '</span>');
+
            var form = $(this.mvcpTemplate({
                form_title: title,
                op_type: op_type,
@@ -361,7 +356,7 @@ define([
                                paddingTop: 50
                            }, focus:false});
                            var det_text = op == 'mv' ? gettext("Moving %(name)s") : gettext("Copying %(name)s");
-                            details.html(det_text.replace('%(name)s', obj_name)).removeClass('vh');
+                            details.html(det_text.replace('%(name)s', Common.HTMLescape(obj_name))).removeClass('vh');
                            $('#mv-progress').progressbar();
                            req_progress();
                        }, 100);
--- a/seahub/templates/js/dirent.html
+++ b/seahub/templates/js/dirent.html
@@ -7,9 +7,9 @@
 <td class="dirent-icon"><img src="{{ MEDIA_URL }}img/folder-icon-24.png" alt="{% trans "Directory icon" %}" /></td>
 <td>
    <% if (category) { %>
-    <span class="dirent-name"><a href="#<%= category %>/lib/<%= repo_id %><% print(dirent_path); %>" class="dir-link normal"><%= dirent.obj_name %></a></span>
+    <span class="dirent-name"><a href="#<%= category %>/lib/<%= repo_id %><% print(dirent_path); %>" class="dir-link normal"><%- dirent.obj_name %></a></span>
    <% } else { %>
-    <span class="dirent-name"><a href="#lib/<%= repo_id %><% print(dirent_path); %>" class="dir-link normal"><%= dirent.obj_name %></a></span>
+    <span class="dirent-name"><a href="#lib/<%= repo_id %><% print(dirent_path); %>" class="dir-link normal"><%- dirent.obj_name %></a></span>
    <% } %>
 </td>
 <td class="dirent-size"></td>
@@ -62,7 +62,7 @@
    <% } %>
 </td>
 <td>
-    <span class="dirent-name"><a class="normal" href="{{ SITE_ROOT }}lib/<%= repo_id %>/file<% print(dirent_path); %>" target="_blank"><%= dirent.obj_name %></a></span>
+    <span class="dirent-name"><a class="normal" href="{{ SITE_ROOT }}lib/<%= repo_id %>/file<% print(dirent_path); %>" target="_blank"><%- dirent.obj_name %></a></span>
 </td>
 <td class="dirent-size"><%= dirent.file_size %></td>
 <td class="dirent-update">
--- a/seahub/templates/js/path-bar.html
+++ b/seahub/templates/js/path-bar.html
@@ -9,7 +9,7 @@
 <% } else { %>
 <a href="#<%= category %>/lib/<%= repo_id %>/" class="path-link normal"><%- repo_name %></a> /
 <% for (var i = 0,len = path_list.length - 1; i < len; i++) { %>
-<a href="#<%= category %>/lib/<%= repo_id %>/<% print(path_list.slice(0, i+1).join('/')); %>" class="path-link normal"><%= path_list[i] %></a> /
+    <a href="#<%= category %>/lib/<%= repo_id %>/<% print(path_list.slice(0, i+1).join('/')); %>" class="path-link normal"><%- path_list[i] %></a> /
 <% } %>
-<% print(path_list[i] + ' /'); %>
+<%- path_list[i] + ' /' %>
 <% } %>
--- a/seahub/views/ajax.py
+++ b/seahub/views/ajax.py
@@ -695,7 +695,7 @@ def delete_dirent(request, repo_id):
                            content_type=content_type)
    except SearpcError, e:
        logger.error(e)
-        err_msg = _(u'Internal error. Failed to delete %s.') % dirent_name
+        err_msg = _(u'Internal error. Failed to delete %s.') % escape(dirent_name)
        return HttpResponse(json.dumps({'error': err_msg}),
                status=500, content_type=content_type)

@@ -841,7 +841,7 @@ def cp_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
                        content_type=content_type)

    result['success'] = True
-    msg = _(u'Successfully copied %(name)s') % {"name":escape(obj_name)}
+    msg = _(u'Successfully copied %(name)s') % {"name": escape(obj_name)}
    result['msg'] = msg

    if res.background:
@@ -886,7 +886,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
                        content_type=content_type)

    result['success'] = True
-    msg = _(u'Successfully moved %(name)s') % {"name":escape(obj_name)}
+    msg = _(u'Successfully moved %(name)s') % {"name": escape(obj_name)}
    result['msg'] = msg
    if res.background:
        result['task_id'] = res.task_id
@@ -929,7 +929,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
                        content_type=content_type)

    result['success'] = True
-    msg = _(u'Successfully copied %(name)s') % {"name":escape(obj_name)}
+    msg = _(u'Successfully copied %(name)s') % {"name": escape(obj_name)}
    result['msg'] = msg
    if res.background:
        result['task_id'] = res.task_id