haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-09-01 15:09:14 +00:00
Code Issues Releases Wiki Activity

Fix xss in formating people list in sharing dialog

Browse Source
This commit is contained in:
Daniel Pan
2015-05-07 11:45:04 +08:00
parent 756177c952
commit 74b7428d21
3 changed files with 48 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
static/scripts/app/views/folder-perm.js
View File

@@ -89,7 +89,7 @@ define([
});
// use select2 to 'user' input in 'add user perm'
$('[name="email"]', $add_user_perm).select2(Common.contactInputOptionsForSelect2);
$('[name="email"]', $add_user_perm).select2(Common.contactInputOptionsForSelect2());
// use select2 to 'group' input in 'add group perm'
var groups = app.pageOptions.groups || [],

4
static/scripts/app/views/share.js
View File

@@ -409,7 +409,7 @@ define([
$('[name="emails"]', form).select2($.extend({
width: '400px'
},Common.contactInputOptionsForSelect2));
},Common.contactInputOptionsForSelect2()));
form.removeClass('hide');
},
@@ -458,7 +458,7 @@ define([
$('[name="emails"]', form).select2($.extend({
width: '400px'
},Common.contactInputOptionsForSelect2));
},Common.contactInputOptionsForSelect2()));
var groups = app.pageOptions.groups || [];
var g_opts = '';

69
static/scripts/common.js
View File

@@ -477,43 +477,46 @@ define([
});
},
contactInputOptionsForSelect2: {
placeholder: gettext("Enter emails or select contacts"),
contactInputOptionsForSelect2: function() {
var _this = this;
return {
placeholder: gettext("Enter emails or select contacts"),
// with 'tags', the user can directly enter, not just select
// tags need `<input type="hidden" />`, not `<select>`
tags: function () {
var contacts = app.pageOptions.contacts || [];
var contact_list = [];
for (var i = 0, len = contacts.length; i < len; i++) {
contact_list.push({ // 'id' & 'text' are required by the plugin
"id": contacts[i].email,
// for search. both name & email can be searched.
// use ' '(space) to separate name & email
"text": contacts[i].name + ' ' + contacts[i].email,
"avatar": contacts[i].avatar,
"name": contacts[i].name
});
}
return contact_list;
},
// with 'tags', the user can directly enter, not just select
// tags need `<input type="hidden" />`, not `<select>`
tags: function () {
var contacts = app.pageOptions.contacts || [];
var contact_list = [];
for (var i = 0, len = contacts.length; i < len; i++) {
contact_list.push({ // 'id' & 'text' are required by the plugin
"id": contacts[i].email,
// for search. both name & email can be searched.
// use ' '(space) to separate name & email
"text": contacts[i].name + ' ' + contacts[i].email,
"avatar": contacts[i].avatar,
"name": contacts[i].name
});
}
return contact_list;
},
tokenSeparators: [',', ' '],
tokenSeparators: [',', ' '],
// format items shown in the drop-down menu
formatResult: function(item) {
if (item.avatar) {
return item.avatar + '<span class="text">' + item.name + '<br />' + item.id + '</span>';
} else {
return; // if no match, show nothing
}
},
// format items shown in the drop-down menu
formatResult: function(item) {
if (item.avatar) {
return item.avatar + '<span class="text">' + _this.HTMLescape(item.name) + '<br />' + _this.HTMLescape(item.id) + '</span>';
} else {
return; // if no match, show nothing
}
},
// format selected item shown in the input
formatSelection: function(item) {
return item.name || item.id; // if no name, show the email, i.e., when directly input, show the email
},
escapeMarkup: function(m) { return m; }
// format selected item shown in the input
formatSelection: function(item) {
return _this.HTMLescape(item.name || item.id); // if no name, show the email, i.e., when directly input, show the email
},
escapeMarkup: function(m) { return m; }
}
},
// check if a file is an image