mirror of
https://github.com/haiwen/seahub.git
synced 2025-09-01 15:09:14 +00:00
added necessary 'escape' for dir/file operations
This commit is contained in:
llj
@@ -703,7 +703,7 @@ var del_dirents = function() {
|
||||
} else {
|
||||
msg_s = "{% trans "Successfully deleted %(name)s." %}";
|
||||
}
|
||||
msg_s = msg_s.replace('%(name)s', data['deleted'][0]).replace('%(amount)s', data['deleted'].length - 1);
|
||||
msg_s = msg_s.replace('%(name)s', HTMLescape(data['deleted'][0])).replace('%(amount)s', data['deleted'].length - 1);
|
||||
feedback(msg_s, 'success');
|
||||
updateCmt();
|
||||
}
|
||||
@@ -906,7 +906,7 @@ $('#mv-dirents, #cp-dirents').click(function() {
|
||||
msg_s = "{% trans "Successfully copied %(name)s and %(amount)s other items." %}";
|
||||
}
|
||||
}
|
||||
msg_s = msg_s.replace('%(name)s', data['success'][0]).replace('%(amount)s', data['success'].length - 1);
|
||||
msg_s = msg_s.replace('%(name)s', HTMLescape(data['success'][0])).replace('%(amount)s', data['success'].length - 1);
|
||||
msg_s += ' <a href="' + view_url + '">' + "{% trans "View" %}" + '</a>';
|
||||
feedback(msg_s, 'success');
|
||||
updateCmt();
|
||||
@@ -926,7 +926,7 @@ $('#mv-dirents, #cp-dirents').click(function() {
|
||||
msg_f = "{% trans "Internal error. Failed to copy %(name)s." %}";
|
||||
}
|
||||
}
|
||||
msg_f = msg_f.replace('%(name)s', data['failed'][0]).replace('%(amount)s', data['failed'].length - 1);
|
||||
msg_f = msg_f.replace('%(name)s', HTMLescape(data['failed'][0])).replace('%(amount)s', data['failed'].length - 1);
|
||||
feedback(msg_f, 'error');
|
||||
}
|
||||
},
|
||||
@@ -1290,7 +1290,7 @@ $('#add-new-file').click(function () {
|
||||
// share current dir
|
||||
$('#share-cur-dir').click(function() {
|
||||
var op = $(this), name, aj_urls, type;
|
||||
name = $('#cur-dir-name').html();
|
||||
name = $('#cur-dir-name').attr('data-name');
|
||||
aj_urls = { 'link': op.data('url'), 'upload-link': op.data('upload-url') };
|
||||
type = 'd';
|
||||
showSharePopup(op, name, aj_urls, type, cur_path);
|
||||
@@ -1639,7 +1639,7 @@ $('.dir-del, .file-del', context).click(function() {
|
||||
dirent.remove();
|
||||
no_file_op_popup = true;// make other items can work normally when hover
|
||||
var msg = "{% trans "Successfully deleted %(name)s" %}";
|
||||
msg = msg.replace('%(name)s', dirent_name);
|
||||
msg = msg.replace('%(name)s', HTMLescape(dirent_name));
|
||||
feedback(msg, 'success');
|
||||
updateCmt();
|
||||
}
|
||||
@@ -1657,7 +1657,7 @@ $('.file-rename, .dir-rename', context).click(function () {
|
||||
op_detail = $('.detail', form);
|
||||
form.data('op_obj', dirent).modal();
|
||||
|
||||
op_detail.html(op_detail.html().replace('%(name)s', '<span class="op-target">' + orig_name + '</span>'));
|
||||
op_detail.html(op_detail.html().replace('%(name)s', '<span class="op-target">' + HTMLescape(orig_name) + '</span>'));
|
||||
$('input[name*="name"]', form).val(orig_name);
|
||||
if (op.hasClass('file-rename')) {
|
||||
form.prepend("<h3>{% trans "Rename File" %}</h3>").data('obj_type', 'file');
|
||||
@@ -1673,7 +1673,8 @@ $('.file-rename, .dir-rename', context).click(function () {
|
||||
$('.file-cp, .file-mv, .dir-cp, .dir-mv', context).click(function () {
|
||||
var op = $(this), op_type, op_detail,
|
||||
dirent = op.parents('tr'),
|
||||
obj_name = dirent.attr('data-name'), obj_type,
|
||||
obj_name = dirent.attr('data-name'),
|
||||
obj_type,
|
||||
form = $('#mv-form'), form_hd;
|
||||
|
||||
form.modal({appendTo:'#main', autoResize:true, focus:false});
|
||||
@@ -1703,7 +1704,7 @@ $('.file-cp, .file-mv, .dir-cp, .dir-mv', context).click(function () {
|
||||
obj_type = 'dir';
|
||||
}
|
||||
|
||||
op_detail = op_detail.replace('%(name)s', '<span class="op-target">' + obj_name + '</span>');
|
||||
op_detail = op_detail.replace('%(name)s', '<span class="op-target">' + HTMLescape(obj_name) + '</span>');
|
||||
form.prepend('<h3>' + form_hd + '</h3><h4>' + op_detail + '</h4>');
|
||||
|
||||
$('input[name="op"]', form).val(op_type);
|
||||
@@ -1728,7 +1729,7 @@ $('.file-update', context).click(function() {
|
||||
var file_name = $(this).parents('.file-item').attr('data-name');
|
||||
var form = $('#update-file-form');
|
||||
var hd = $('#update-file-dialog .hd');
|
||||
hd.html(hd.html().replace('%(file_name)s', '<span class="op-target">' + file_name + '</span>'));
|
||||
hd.html(hd.html().replace('%(file_name)s', '<span class="op-target">' + HTMLescape(file_name) + '</span>'));
|
||||
|
||||
$('input[name="target_file"]', form).val(cur_path + file_name);
|
||||
|
||||
@@ -1781,7 +1782,7 @@ $('.file-update', context).click(function() {
|
||||
|
||||
$('input[name="target_file"]', form).val(cur_path + file_name);
|
||||
var hd = $('#update-file-dialog .hd');
|
||||
hd.html(hd.html().replace('%(file_name)s', '<span class="op-target">' + file_name + '</span>'));
|
||||
hd.html(hd.html().replace('%(file_name)s', '<span class="op-target">' + HTMLescape(file_name) + '</span>'));
|
||||
|
||||
$.ajax({
|
||||
url: '{% url 'get_file_op_url' repo.id %}?op_type=' + e('update'),
|
||||
@@ -1991,9 +1992,9 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
|
||||
|
||||
var name_link = $('.dirent-name a', op_obj);
|
||||
if (name_link.length == 1) {
|
||||
name_link.html(new_name).attr('href', name_link.attr('href').substr(0, name_link.attr('href').indexOf('?')) + '?p=' + e(path+new_name));
|
||||
name_link.html(HTMLescape(new_name)).attr('href', name_link.attr('href').substr(0, name_link.attr('href').indexOf('?')) + '?p=' + e(path+new_name));
|
||||
} else {
|
||||
$('.dirent-name', op_obj).html(new_name); // no link for files in client_crypto mode
|
||||
$('.dirent-name', op_obj).html(HTMLescape(new_name)); // no link for files in client_crypto mode
|
||||
}
|
||||
$('.dirent-update', op_obj).html("{% trans "Just now" %}");
|
||||
var dld_link;
|
||||
@@ -2020,7 +2021,7 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
|
||||
}
|
||||
|
||||
var msg = "{% trans "Successfully renamed %(old_name)s to %(new_name)s" %}";
|
||||
msg = msg.replace('%(old_name)s', old_name).replace('%(new_name)s', new_name);
|
||||
msg = msg.replace('%(old_name)s', HTMLescape(old_name)).replace('%(new_name)s', HTMLescape(new_name));
|
||||
feedback(msg, 'success');
|
||||
};
|
||||
} else {// #mv-form
|
||||
@@ -2074,7 +2075,7 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
|
||||
paddingTop: 50
|
||||
}, focus:false});
|
||||
var det_text = op == 'mv' ? "{% trans "Moving %(name)s" %}": "{% trans "Copying %(name)s" %}";
|
||||
details.html(det_text.replace('%(name)s', trimFilename(obj_name, 20))).removeClass('vh');
|
||||
details.html(det_text.replace('%(name)s', HTMLescape(trimFilename(obj_name, 20)))).removeClass('vh');
|
||||
$('#mv-progress').progressbar();
|
||||
req_progress();
|
||||
}, 100);
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
{% if forloop.first or not forloop.last %}
|
||||
<a href="{{ SITE_ROOT }}repo/{{ repo.id }}/?p={{ link|urlencode }}" class="dir-link normal">{{ name }}</a> /
|
||||
{% else %}
|
||||
<span id="cur-dir-name">{{ name }}</span> /
|
||||
<span id="cur-dir-name" data-name="{{ name }}">{{ name }}</span> /
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
</p>
|
||||
|
||||
@@ -65,7 +65,7 @@ function showSharePopup(op, name, aj_urls, type, cur_path) {
|
||||
form.modal({appendTo: "#main",'focus':false, containerCss:{"padding":0}});
|
||||
|
||||
var hd = $('#file-share .hd');
|
||||
hd.html(hd.html().replace('%(name)s', '<span class="op-target">' + trimFilename(name, 30) + '</span>'));
|
||||
hd.html(hd.html().replace('%(name)s', '<span class="op-target">' + HTMLescape(trimFilename(name, 30)) + '</span>'));
|
||||
|
||||
if (type == 'd') {
|
||||
$('#private-share-tab, #private-share').remove();
|
||||
@@ -141,7 +141,7 @@ function showSharePopup(op, name, aj_urls, type, cur_path) {
|
||||
form.removeClass('hide').css({'width':'auto', 'padding-top':0});
|
||||
$("h3", form).remove();
|
||||
$('.checkbox-label', form).css({'margin-right':'3px'}); // make it not show on top of the scrollbar when hover
|
||||
form.data('dir-path', path).attr('data-name', name);
|
||||
form.data('dir-path', path);
|
||||
$("#repo-share-tabs").tabs();
|
||||
$('#repo-share-tabs .ui-tabs-nav').css({'padding-left': '1.4em'});
|
||||
});
|
||||
|
||||
@@ -97,7 +97,7 @@ var saving_tip = $('.saving-tip', form);
|
||||
|
||||
// Initialize the jQuery File Upload widget:
|
||||
form.fileupload({
|
||||
formData: {'parent_dir': "{{path}}"},
|
||||
formData: {'parent_dir': "{{path|escapejs}}"},
|
||||
// customize it for 'done'
|
||||
getFilesFromResponse: function (data) {
|
||||
if (data.result) {
|
||||
@@ -175,10 +175,11 @@ form.fileupload({
|
||||
}
|
||||
|
||||
var uploaded_done_link = "{% url "upload_file_done" %}" + "?fn=" + e(file.name) + "&repo_id=" + e("{{repo.id}}");
|
||||
var path = "{{path|escapejs}}";
|
||||
if (file_path) {
|
||||
uploaded_done_link += '&p=' + e("{{path}}" + file_path.substr(0, file_path.lastIndexOf('/') + 1));
|
||||
uploaded_done_link += '&p=' + e(path + file_path.substr(0, file_path.lastIndexOf('/') + 1));
|
||||
} else {
|
||||
uploaded_done_link += '&p=' + e("{{path}}");
|
||||
uploaded_done_link += '&p=' + e(path);
|
||||
}
|
||||
$.get(uploaded_done_link);
|
||||
}
|
||||
|
||||
@@ -9,6 +9,7 @@ from django.http import HttpResponse, Http404, HttpResponseBadRequest
|
||||
from django.template import RequestContext
|
||||
from django.template.loader import render_to_string
|
||||
from django.utils.http import urlquote
|
||||
from django.utils.html import escape
|
||||
from django.utils.translation import ugettext as _
|
||||
|
||||
import seaserv
|
||||
@@ -695,7 +696,7 @@ def mv_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
|
||||
result['success'] = True
|
||||
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
|
||||
msg = _(u'Successfully moved %(name)s <a href="%(url)s">view</a>') % \
|
||||
{"name":obj_name, "url":msg_url}
|
||||
{"name":escape(obj_name), "url":msg_url}
|
||||
result['msg'] = msg
|
||||
if res.background:
|
||||
result['task_id'] = res.task_id
|
||||
@@ -724,7 +725,7 @@ def cp_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
|
||||
result['success'] = True
|
||||
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
|
||||
msg = _(u'Successfully copied %(name)s <a href="%(url)s">view</a>') % \
|
||||
{"name":obj_name, "url":msg_url}
|
||||
{"name":escape(obj_name), "url":msg_url}
|
||||
result['msg'] = msg
|
||||
|
||||
if res.background:
|
||||
@@ -741,7 +742,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
|
||||
src_dir = os.path.join(src_path, obj_name)
|
||||
if dst_path.startswith(src_dir + '/'):
|
||||
error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \
|
||||
% {'src': src_dir, 'des': dst_path}
|
||||
% {'src': escape(src_dir), 'des': escape(dst_path)}
|
||||
result['error'] = error_msg
|
||||
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
|
||||
|
||||
@@ -762,7 +763,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
|
||||
result['success'] = True
|
||||
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
|
||||
msg = _(u'Successfully moved %(name)s <a href="%(url)s">view</a>') % \
|
||||
{"name":obj_name, "url":msg_url}
|
||||
{"name":escape(obj_name), "url":msg_url}
|
||||
result['msg'] = msg
|
||||
if res.background:
|
||||
result['task_id'] = res.task_id
|
||||
@@ -778,7 +779,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
|
||||
src_dir = os.path.join(src_path, obj_name)
|
||||
if dst_path.startswith(src_dir):
|
||||
error_msg = _(u'Can not copy directory %(src)s to its subdirectory %(des)s') \
|
||||
% {'src': src_dir, 'des': dst_path}
|
||||
% {'src': escape(src_dir), 'des': escape(dst_path)}
|
||||
result['error'] = error_msg
|
||||
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
|
||||
|
||||
@@ -799,7 +800,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
|
||||
result['success'] = True
|
||||
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
|
||||
msg = _(u'Successfully copied %(name)s <a href="%(url)s">view</a>') % \
|
||||
{"name":obj_name, "url":msg_url}
|
||||
{"name":escape(obj_name), "url":msg_url}
|
||||
result['msg'] = msg
|
||||
if res.background:
|
||||
result['task_id'] = res.task_id
|
||||
@@ -847,7 +848,7 @@ def dirents_copy_move_common(func):
|
||||
# check file path
|
||||
for obj_name in obj_file_names + obj_dir_names:
|
||||
if len(dst_path+obj_name) > settings.MAX_PATH:
|
||||
result['error'] = _('Destination path is too long for %s.') % obj_name
|
||||
result['error'] = _('Destination path is too long for %s.') % escape(obj_name)
|
||||
return HttpResponse(json.dumps(result), status=400,
|
||||
content_type=content_type)
|
||||
|
||||
@@ -875,7 +876,7 @@ def mv_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj
|
||||
src_dir = os.path.join(src_path, obj_name)
|
||||
if dst_path.startswith(src_dir + '/'):
|
||||
error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \
|
||||
% {'src': src_dir, 'des': dst_path}
|
||||
% {'src': escape(src_dir), 'des': escape(dst_path)}
|
||||
result['error'] = error_msg
|
||||
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
|
||||
|
||||
@@ -911,7 +912,7 @@ def cp_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj
|
||||
src_dir = os.path.join(src_path, obj_name)
|
||||
if dst_path.startswith(src_dir):
|
||||
error_msg = _(u'Can not copy directory %(src)s to its subdirectory %(des)s') \
|
||||
% {'src': src_dir, 'des': dst_path}
|
||||
% {'src': escape(src_dir), 'des': escape(dst_path)}
|
||||
result['error'] = error_msg
|
||||
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user