mirror of
https://github.com/haiwen/seahub.git
synced 2025-08-27 11:10:10 +00:00
Fix xss in formating people list in sharing dialog
This commit is contained in:
Daniel Pan
parent
756177c952
commit
74b7428d21
@ -89,7 +89,7 @@ define([
|
|||||||
});
|
});
|
||||||
|
|
||||||
// use select2 to 'user' input in 'add user perm'
|
// use select2 to 'user' input in 'add user perm'
|
||||||
$('[name="email"]', $add_user_perm).select2(Common.contactInputOptionsForSelect2);
|
$('[name="email"]', $add_user_perm).select2(Common.contactInputOptionsForSelect2());
|
||||||
|
|
||||||
// use select2 to 'group' input in 'add group perm'
|
// use select2 to 'group' input in 'add group perm'
|
||||||
var groups = app.pageOptions.groups || [],
|
var groups = app.pageOptions.groups || [],
|
||||||
|
|||||||
@ -79,11 +79,11 @@ define([
|
|||||||
'submit #send-upload-link-form': 'sendUploadLink',
|
'submit #send-upload-link-form': 'sendUploadLink',
|
||||||
'click #cancel-share-upload-link': 'cancelShareUploadLink',
|
'click #cancel-share-upload-link': 'cancelShareUploadLink',
|
||||||
'click #delete-upload-link': 'deleteUploadLink',
|
'click #delete-upload-link': 'deleteUploadLink',
|
||||||
|
|
||||||
// file private share
|
// file private share
|
||||||
'submit #file-private-share-form': 'filePrivateShare',
|
'submit #file-private-share-form': 'filePrivateShare',
|
||||||
|
|
||||||
// dir private share
|
// dir private share
|
||||||
'submit #dir-private-share-form': 'dirPrivateShare'
|
'submit #dir-private-share-form': 'dirPrivateShare'
|
||||||
},
|
},
|
||||||
|
|
||||||
@ -263,7 +263,7 @@ define([
|
|||||||
Common.showFormError(form_id, gettext("Please input at least an email."));
|
Common.showFormError(form_id, gettext("Please input at least an email."));
|
||||||
return false;
|
return false;
|
||||||
};
|
};
|
||||||
|
|
||||||
var submit_btn = $('[type="submit"]', form);
|
var submit_btn = $('[type="submit"]', form);
|
||||||
var sending_tip = $('.sending-tip', form);
|
var sending_tip = $('.sending-tip', form);
|
||||||
Common.disableButton(submit_btn);
|
Common.disableButton(submit_btn);
|
||||||
@ -315,10 +315,10 @@ define([
|
|||||||
other_post_data: {
|
other_post_data: {
|
||||||
file_shared_link: this.download_link,
|
file_shared_link: this.download_link,
|
||||||
file_shared_name: this.obj_name,
|
file_shared_name: this.obj_name,
|
||||||
file_shared_type: this.is_dir ? 'd' : 'f'
|
file_shared_type: this.is_dir ? 'd' : 'f'
|
||||||
},
|
},
|
||||||
post_url: Common.getUrl({name: 'send_shared_download_link'})
|
post_url: Common.getUrl({name: 'send_shared_download_link'})
|
||||||
});
|
});
|
||||||
return false;
|
return false;
|
||||||
},
|
},
|
||||||
|
|
||||||
@ -382,7 +382,7 @@ define([
|
|||||||
shared_upload_link: this.upload_link
|
shared_upload_link: this.upload_link
|
||||||
},
|
},
|
||||||
post_url: Common.getUrl({name: 'send_shared_upload_link'})
|
post_url: Common.getUrl({name: 'send_shared_upload_link'})
|
||||||
});
|
});
|
||||||
return false;
|
return false;
|
||||||
},
|
},
|
||||||
|
|
||||||
@ -409,8 +409,8 @@ define([
|
|||||||
|
|
||||||
$('[name="emails"]', form).select2($.extend({
|
$('[name="emails"]', form).select2($.extend({
|
||||||
width: '400px'
|
width: '400px'
|
||||||
},Common.contactInputOptionsForSelect2));
|
},Common.contactInputOptionsForSelect2()));
|
||||||
|
|
||||||
form.removeClass('hide');
|
form.removeClass('hide');
|
||||||
},
|
},
|
||||||
|
|
||||||
@ -458,8 +458,8 @@ define([
|
|||||||
|
|
||||||
$('[name="emails"]', form).select2($.extend({
|
$('[name="emails"]', form).select2($.extend({
|
||||||
width: '400px'
|
width: '400px'
|
||||||
},Common.contactInputOptionsForSelect2));
|
},Common.contactInputOptionsForSelect2()));
|
||||||
|
|
||||||
var groups = app.pageOptions.groups || [];
|
var groups = app.pageOptions.groups || [];
|
||||||
var g_opts = '';
|
var g_opts = '';
|
||||||
for (var i = 0, len = groups.length; i < len; i++) {
|
for (var i = 0, len = groups.length; i < len; i++) {
|
||||||
|
|||||||
@ -477,43 +477,46 @@ define([
|
|||||||
});
|
});
|
||||||
},
|
},
|
||||||
|
|
||||||
contactInputOptionsForSelect2: {
|
contactInputOptionsForSelect2: function() {
|
||||||
placeholder: gettext("Enter emails or select contacts"),
|
var _this = this;
|
||||||
|
return {
|
||||||
|
placeholder: gettext("Enter emails or select contacts"),
|
||||||
|
|
||||||
// with 'tags', the user can directly enter, not just select
|
// with 'tags', the user can directly enter, not just select
|
||||||
// tags need `<input type="hidden" />`, not `<select>`
|
// tags need `<input type="hidden" />`, not `<select>`
|
||||||
tags: function () {
|
tags: function () {
|
||||||
var contacts = app.pageOptions.contacts || [];
|
var contacts = app.pageOptions.contacts || [];
|
||||||
var contact_list = [];
|
var contact_list = [];
|
||||||
for (var i = 0, len = contacts.length; i < len; i++) {
|
for (var i = 0, len = contacts.length; i < len; i++) {
|
||||||
contact_list.push({ // 'id' & 'text' are required by the plugin
|
contact_list.push({ // 'id' & 'text' are required by the plugin
|
||||||
"id": contacts[i].email,
|
"id": contacts[i].email,
|
||||||
// for search. both name & email can be searched.
|
// for search. both name & email can be searched.
|
||||||
// use ' '(space) to separate name & email
|
// use ' '(space) to separate name & email
|
||||||
"text": contacts[i].name + ' ' + contacts[i].email,
|
"text": contacts[i].name + ' ' + contacts[i].email,
|
||||||
"avatar": contacts[i].avatar,
|
"avatar": contacts[i].avatar,
|
||||||
"name": contacts[i].name
|
"name": contacts[i].name
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
return contact_list;
|
return contact_list;
|
||||||
},
|
},
|
||||||
|
|
||||||
tokenSeparators: [',', ' '],
|
tokenSeparators: [',', ' '],
|
||||||
|
|
||||||
// format items shown in the drop-down menu
|
// format items shown in the drop-down menu
|
||||||
formatResult: function(item) {
|
formatResult: function(item) {
|
||||||
if (item.avatar) {
|
if (item.avatar) {
|
||||||
return item.avatar + '<span class="text">' + item.name + '<br />' + item.id + '</span>';
|
return item.avatar + '<span class="text">' + _this.HTMLescape(item.name) + '<br />' + _this.HTMLescape(item.id) + '</span>';
|
||||||
} else {
|
} else {
|
||||||
return; // if no match, show nothing
|
return; // if no match, show nothing
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
||||||
// format selected item shown in the input
|
// format selected item shown in the input
|
||||||
formatSelection: function(item) {
|
formatSelection: function(item) {
|
||||||
return item.name || item.id; // if no name, show the email, i.e., when directly input, show the email
|
return _this.HTMLescape(item.name || item.id); // if no name, show the email, i.e., when directly input, show the email
|
||||||
},
|
},
|
||||||
escapeMarkup: function(m) { return m; }
|
escapeMarkup: function(m) { return m; }
|
||||||
|
}
|
||||||
},
|
},
|
||||||
|
|
||||||
// check if a file is an image
|
// check if a file is an image
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user