diff --git a/seahub/templates/repo.html b/seahub/templates/repo.html
index a9d442a171..903a4766e8 100644
--- a/seahub/templates/repo.html
+++ b/seahub/templates/repo.html
@@ -703,7 +703,7 @@ var del_dirents = function() {
} else {
msg_s = "{% trans "Successfully deleted %(name)s." %}";
}
- msg_s = msg_s.replace('%(name)s', data['deleted'][0]).replace('%(amount)s', data['deleted'].length - 1);
+ msg_s = msg_s.replace('%(name)s', HTMLescape(data['deleted'][0])).replace('%(amount)s', data['deleted'].length - 1);
feedback(msg_s, 'success');
updateCmt();
}
@@ -906,7 +906,7 @@ $('#mv-dirents, #cp-dirents').click(function() {
msg_s = "{% trans "Successfully copied %(name)s and %(amount)s other items." %}";
}
}
- msg_s = msg_s.replace('%(name)s', data['success'][0]).replace('%(amount)s', data['success'].length - 1);
+ msg_s = msg_s.replace('%(name)s', HTMLescape(data['success'][0])).replace('%(amount)s', data['success'].length - 1);
msg_s += ' ' + "{% trans "View" %}" + '';
feedback(msg_s, 'success');
updateCmt();
@@ -926,7 +926,7 @@ $('#mv-dirents, #cp-dirents').click(function() {
msg_f = "{% trans "Internal error. Failed to copy %(name)s." %}";
}
}
- msg_f = msg_f.replace('%(name)s', data['failed'][0]).replace('%(amount)s', data['failed'].length - 1);
+ msg_f = msg_f.replace('%(name)s', HTMLescape(data['failed'][0])).replace('%(amount)s', data['failed'].length - 1);
feedback(msg_f, 'error');
}
},
@@ -1290,7 +1290,7 @@ $('#add-new-file').click(function () {
// share current dir
$('#share-cur-dir').click(function() {
var op = $(this), name, aj_urls, type;
- name = $('#cur-dir-name').html();
+ name = $('#cur-dir-name').attr('data-name');
aj_urls = { 'link': op.data('url'), 'upload-link': op.data('upload-url') };
type = 'd';
showSharePopup(op, name, aj_urls, type, cur_path);
@@ -1639,7 +1639,7 @@ $('.dir-del, .file-del', context).click(function() {
dirent.remove();
no_file_op_popup = true;// make other items can work normally when hover
var msg = "{% trans "Successfully deleted %(name)s" %}";
- msg = msg.replace('%(name)s', dirent_name);
+ msg = msg.replace('%(name)s', HTMLescape(dirent_name));
feedback(msg, 'success');
updateCmt();
}
@@ -1657,7 +1657,7 @@ $('.file-rename, .dir-rename', context).click(function () {
op_detail = $('.detail', form);
form.data('op_obj', dirent).modal();
- op_detail.html(op_detail.html().replace('%(name)s', '' + orig_name + ''));
+ op_detail.html(op_detail.html().replace('%(name)s', '' + HTMLescape(orig_name) + ''));
$('input[name*="name"]', form).val(orig_name);
if (op.hasClass('file-rename')) {
form.prepend("{% trans "Rename File" %}
").data('obj_type', 'file');
@@ -1673,7 +1673,8 @@ $('.file-rename, .dir-rename', context).click(function () {
$('.file-cp, .file-mv, .dir-cp, .dir-mv', context).click(function () {
var op = $(this), op_type, op_detail,
dirent = op.parents('tr'),
- obj_name = dirent.attr('data-name'), obj_type,
+ obj_name = dirent.attr('data-name'),
+ obj_type,
form = $('#mv-form'), form_hd;
form.modal({appendTo:'#main', autoResize:true, focus:false});
@@ -1703,7 +1704,7 @@ $('.file-cp, .file-mv, .dir-cp, .dir-mv', context).click(function () {
obj_type = 'dir';
}
- op_detail = op_detail.replace('%(name)s', '' + obj_name + '');
+ op_detail = op_detail.replace('%(name)s', '' + HTMLescape(obj_name) + '');
form.prepend('' + form_hd + '
' + op_detail + '
');
$('input[name="op"]', form).val(op_type);
@@ -1728,7 +1729,7 @@ $('.file-update', context).click(function() {
var file_name = $(this).parents('.file-item').attr('data-name');
var form = $('#update-file-form');
var hd = $('#update-file-dialog .hd');
- hd.html(hd.html().replace('%(file_name)s', '' + file_name + ''));
+ hd.html(hd.html().replace('%(file_name)s', '' + HTMLescape(file_name) + ''));
$('input[name="target_file"]', form).val(cur_path + file_name);
@@ -1781,7 +1782,7 @@ $('.file-update', context).click(function() {
$('input[name="target_file"]', form).val(cur_path + file_name);
var hd = $('#update-file-dialog .hd');
- hd.html(hd.html().replace('%(file_name)s', '' + file_name + ''));
+ hd.html(hd.html().replace('%(file_name)s', '' + HTMLescape(file_name) + ''));
$.ajax({
url: '{% url 'get_file_op_url' repo.id %}?op_type=' + e('update'),
@@ -1991,9 +1992,9 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
var name_link = $('.dirent-name a', op_obj);
if (name_link.length == 1) {
- name_link.html(new_name).attr('href', name_link.attr('href').substr(0, name_link.attr('href').indexOf('?')) + '?p=' + e(path+new_name));
+ name_link.html(HTMLescape(new_name)).attr('href', name_link.attr('href').substr(0, name_link.attr('href').indexOf('?')) + '?p=' + e(path+new_name));
} else {
- $('.dirent-name', op_obj).html(new_name); // no link for files in client_crypto mode
+ $('.dirent-name', op_obj).html(HTMLescape(new_name)); // no link for files in client_crypto mode
}
$('.dirent-update', op_obj).html("{% trans "Just now" %}");
var dld_link;
@@ -2020,7 +2021,7 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
}
var msg = "{% trans "Successfully renamed %(old_name)s to %(new_name)s" %}";
- msg = msg.replace('%(old_name)s', old_name).replace('%(new_name)s', new_name);
+ msg = msg.replace('%(old_name)s', HTMLescape(old_name)).replace('%(new_name)s', HTMLescape(new_name));
feedback(msg, 'success');
};
} else {// #mv-form
@@ -2074,7 +2075,7 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
paddingTop: 50
}, focus:false});
var det_text = op == 'mv' ? "{% trans "Moving %(name)s" %}": "{% trans "Copying %(name)s" %}";
- details.html(det_text.replace('%(name)s', trimFilename(obj_name, 20))).removeClass('vh');
+ details.html(det_text.replace('%(name)s', HTMLescape(trimFilename(obj_name, 20)))).removeClass('vh');
$('#mv-progress').progressbar();
req_progress();
}, 100);
diff --git a/seahub/templates/snippets/repo_dir_data.html b/seahub/templates/snippets/repo_dir_data.html
index 56b0d74271..ab3174a81c 100644
--- a/seahub/templates/snippets/repo_dir_data.html
+++ b/seahub/templates/snippets/repo_dir_data.html
@@ -5,7 +5,7 @@
{% if forloop.first or not forloop.last %}
{{ name }} /
{% else %}
- {{ name }} /
+ {{ name }} /
{% endif %}
{% endfor %}
diff --git a/seahub/templates/snippets/shared_link_js.html b/seahub/templates/snippets/shared_link_js.html
index a08634d225..d69a847109 100644
--- a/seahub/templates/snippets/shared_link_js.html
+++ b/seahub/templates/snippets/shared_link_js.html
@@ -65,7 +65,7 @@ function showSharePopup(op, name, aj_urls, type, cur_path) {
form.modal({appendTo: "#main",'focus':false, containerCss:{"padding":0}});
var hd = $('#file-share .hd');
- hd.html(hd.html().replace('%(name)s', '' + trimFilename(name, 30) + ''));
+ hd.html(hd.html().replace('%(name)s', '' + HTMLescape(trimFilename(name, 30)) + ''));
if (type == 'd') {
$('#private-share-tab, #private-share').remove();
@@ -141,7 +141,7 @@ function showSharePopup(op, name, aj_urls, type, cur_path) {
form.removeClass('hide').css({'width':'auto', 'padding-top':0});
$("h3", form).remove();
$('.checkbox-label', form).css({'margin-right':'3px'}); // make it not show on top of the scrollbar when hover
- form.data('dir-path', path).attr('data-name', name);
+ form.data('dir-path', path);
$("#repo-share-tabs").tabs();
$('#repo-share-tabs .ui-tabs-nav').css({'padding-left': '1.4em'});
});
diff --git a/seahub/templates/view_shared_upload_link.html b/seahub/templates/view_shared_upload_link.html
index 93b076eba4..9e880c069a 100644
--- a/seahub/templates/view_shared_upload_link.html
+++ b/seahub/templates/view_shared_upload_link.html
@@ -97,7 +97,7 @@ var saving_tip = $('.saving-tip', form);
// Initialize the jQuery File Upload widget:
form.fileupload({
- formData: {'parent_dir': "{{path}}"},
+ formData: {'parent_dir': "{{path|escapejs}}"},
// customize it for 'done'
getFilesFromResponse: function (data) {
if (data.result) {
@@ -175,10 +175,11 @@ form.fileupload({
}
var uploaded_done_link = "{% url "upload_file_done" %}" + "?fn=" + e(file.name) + "&repo_id=" + e("{{repo.id}}");
+ var path = "{{path|escapejs}}";
if (file_path) {
- uploaded_done_link += '&p=' + e("{{path}}" + file_path.substr(0, file_path.lastIndexOf('/') + 1));
+ uploaded_done_link += '&p=' + e(path + file_path.substr(0, file_path.lastIndexOf('/') + 1));
} else {
- uploaded_done_link += '&p=' + e("{{path}}");
+ uploaded_done_link += '&p=' + e(path);
}
$.get(uploaded_done_link);
}
diff --git a/seahub/views/ajax.py b/seahub/views/ajax.py
index e428727e8d..7fab40675c 100644
--- a/seahub/views/ajax.py
+++ b/seahub/views/ajax.py
@@ -9,6 +9,7 @@ from django.http import HttpResponse, Http404, HttpResponseBadRequest
from django.template import RequestContext
from django.template.loader import render_to_string
from django.utils.http import urlquote
+from django.utils.html import escape
from django.utils.translation import ugettext as _
import seaserv
@@ -695,7 +696,7 @@ def mv_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
result['success'] = True
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
msg = _(u'Successfully moved %(name)s view') % \
- {"name":obj_name, "url":msg_url}
+ {"name":escape(obj_name), "url":msg_url}
result['msg'] = msg
if res.background:
result['task_id'] = res.task_id
@@ -724,7 +725,7 @@ def cp_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
result['success'] = True
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
msg = _(u'Successfully copied %(name)s view') % \
- {"name":obj_name, "url":msg_url}
+ {"name":escape(obj_name), "url":msg_url}
result['msg'] = msg
if res.background:
@@ -741,7 +742,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
src_dir = os.path.join(src_path, obj_name)
if dst_path.startswith(src_dir + '/'):
error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \
- % {'src': src_dir, 'des': dst_path}
+ % {'src': escape(src_dir), 'des': escape(dst_path)}
result['error'] = error_msg
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
@@ -762,7 +763,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
result['success'] = True
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
msg = _(u'Successfully moved %(name)s view') % \
- {"name":obj_name, "url":msg_url}
+ {"name":escape(obj_name), "url":msg_url}
result['msg'] = msg
if res.background:
result['task_id'] = res.task_id
@@ -778,7 +779,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
src_dir = os.path.join(src_path, obj_name)
if dst_path.startswith(src_dir):
error_msg = _(u'Can not copy directory %(src)s to its subdirectory %(des)s') \
- % {'src': src_dir, 'des': dst_path}
+ % {'src': escape(src_dir), 'des': escape(dst_path)}
result['error'] = error_msg
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
@@ -799,7 +800,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
result['success'] = True
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
msg = _(u'Successfully copied %(name)s view') % \
- {"name":obj_name, "url":msg_url}
+ {"name":escape(obj_name), "url":msg_url}
result['msg'] = msg
if res.background:
result['task_id'] = res.task_id
@@ -847,7 +848,7 @@ def dirents_copy_move_common(func):
# check file path
for obj_name in obj_file_names + obj_dir_names:
if len(dst_path+obj_name) > settings.MAX_PATH:
- result['error'] = _('Destination path is too long for %s.') % obj_name
+ result['error'] = _('Destination path is too long for %s.') % escape(obj_name)
return HttpResponse(json.dumps(result), status=400,
content_type=content_type)
@@ -875,7 +876,7 @@ def mv_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj
src_dir = os.path.join(src_path, obj_name)
if dst_path.startswith(src_dir + '/'):
error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \
- % {'src': src_dir, 'des': dst_path}
+ % {'src': escape(src_dir), 'des': escape(dst_path)}
result['error'] = error_msg
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
@@ -911,7 +912,7 @@ def cp_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj
src_dir = os.path.join(src_path, obj_name)
if dst_path.startswith(src_dir):
error_msg = _(u'Can not copy directory %(src)s to its subdirectory %(des)s') \
- % {'src': src_dir, 'des': dst_path}
+ % {'src': escape(src_dir), 'des': escape(dst_path)}
result['error'] = error_msg
return HttpResponse(json.dumps(result), status=400, content_type=content_type)