haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-09-04 08:28:11 +00:00
Code Issues Releases Wiki Activity

added necessary 'escape' for dir/file operations

Browse Source
This commit is contained in:
llj
2015-03-17 15:50:49 +08:00
parent 2d43bb88dc
commit cd66730377
5 changed files with 32 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
seahub/templates/repo.html
View File

@@ -703,7 +703,7 @@ var del_dirents = function() {
} else { } else {
msg_s = "{% trans "Successfully deleted %(name)s." %}"; msg_s = "{% trans "Successfully deleted %(name)s." %}";
} }
msg_s = msg_s.replace('%(name)s', data['deleted'][0]).replace('%(amount)s', data['deleted'].length - 1); msg_s = msg_s.replace('%(name)s', HTMLescape(data['deleted'][0])).replace('%(amount)s', data['deleted'].length - 1);
feedback(msg_s, 'success'); feedback(msg_s, 'success');
updateCmt(); updateCmt();
} }
@@ -906,7 +906,7 @@ $('#mv-dirents, #cp-dirents').click(function() {
msg_s = "{% trans "Successfully copied %(name)s and %(amount)s other items." %}"; msg_s = "{% trans "Successfully copied %(name)s and %(amount)s other items." %}";
} }
} }
msg_s = msg_s.replace('%(name)s', data['success'][0]).replace('%(amount)s', data['success'].length - 1); msg_s = msg_s.replace('%(name)s', HTMLescape(data['success'][0])).replace('%(amount)s', data['success'].length - 1);
msg_s += ' <a href="' + view_url + '">' + "{% trans "View" %}" + '</a>'; msg_s += ' <a href="' + view_url + '">' + "{% trans "View" %}" + '</a>';
feedback(msg_s, 'success'); feedback(msg_s, 'success');
updateCmt(); updateCmt();
@@ -926,7 +926,7 @@ $('#mv-dirents, #cp-dirents').click(function() {
msg_f = "{% trans "Internal error. Failed to copy %(name)s." %}"; msg_f = "{% trans "Internal error. Failed to copy %(name)s." %}";
} }
} }
msg_f = msg_f.replace('%(name)s', data['failed'][0]).replace('%(amount)s', data['failed'].length - 1); msg_f = msg_f.replace('%(name)s', HTMLescape(data['failed'][0])).replace('%(amount)s', data['failed'].length - 1);
feedback(msg_f, 'error'); feedback(msg_f, 'error');
} }
}, },
@@ -1290,7 +1290,7 @@ $('#add-new-file').click(function () {
// share current dir // share current dir
$('#share-cur-dir').click(function() { $('#share-cur-dir').click(function() {
var op = $(this), name, aj_urls, type; var op = $(this), name, aj_urls, type;
name = $('#cur-dir-name').html(); name = $('#cur-dir-name').attr('data-name');
aj_urls = { 'link': op.data('url'), 'upload-link': op.data('upload-url') }; aj_urls = { 'link': op.data('url'), 'upload-link': op.data('upload-url') };
type = 'd'; type = 'd';
showSharePopup(op, name, aj_urls, type, cur_path); showSharePopup(op, name, aj_urls, type, cur_path);
@@ -1639,7 +1639,7 @@ $('.dir-del, .file-del', context).click(function() {
dirent.remove(); dirent.remove();
no_file_op_popup = true;// make other items can work normally when hover no_file_op_popup = true;// make other items can work normally when hover
var msg = "{% trans "Successfully deleted %(name)s" %}"; var msg = "{% trans "Successfully deleted %(name)s" %}";
msg = msg.replace('%(name)s', dirent_name); msg = msg.replace('%(name)s', HTMLescape(dirent_name));
feedback(msg, 'success'); feedback(msg, 'success');
updateCmt(); updateCmt();
} }
@@ -1657,7 +1657,7 @@ $('.file-rename, .dir-rename', context).click(function () {
op_detail = $('.detail', form); op_detail = $('.detail', form);
form.data('op_obj', dirent).modal(); form.data('op_obj', dirent).modal();
op_detail.html(op_detail.html().replace('%(name)s', '<span class="op-target">' + orig_name + '</span>')); op_detail.html(op_detail.html().replace('%(name)s', '<span class="op-target">' + HTMLescape(orig_name) + '</span>'));
$('input[name*="name"]', form).val(orig_name); $('input[name*="name"]', form).val(orig_name);
if (op.hasClass('file-rename')) { if (op.hasClass('file-rename')) {
form.prepend("<h3>{% trans "Rename File" %}</h3>").data('obj_type', 'file'); form.prepend("<h3>{% trans "Rename File" %}</h3>").data('obj_type', 'file');
@@ -1673,7 +1673,8 @@ $('.file-rename, .dir-rename', context).click(function () {
$('.file-cp, .file-mv, .dir-cp, .dir-mv', context).click(function () { $('.file-cp, .file-mv, .dir-cp, .dir-mv', context).click(function () {
var op = $(this), op_type, op_detail, var op = $(this), op_type, op_detail,
dirent = op.parents('tr'), dirent = op.parents('tr'),
obj_name = dirent.attr('data-name'), obj_type, obj_name = dirent.attr('data-name'),
obj_type,
form = $('#mv-form'), form_hd; form = $('#mv-form'), form_hd;
form.modal({appendTo:'#main', autoResize:true, focus:false}); form.modal({appendTo:'#main', autoResize:true, focus:false});
@@ -1703,7 +1704,7 @@ $('.file-cp, .file-mv, .dir-cp, .dir-mv', context).click(function () {
obj_type = 'dir'; obj_type = 'dir';
} }
op_detail = op_detail.replace('%(name)s', '<span class="op-target">' + obj_name + '</span>'); op_detail = op_detail.replace('%(name)s', '<span class="op-target">' + HTMLescape(obj_name) + '</span>');
form.prepend('<h3>' + form_hd + '</h3><h4>' + op_detail + '</h4>'); form.prepend('<h3>' + form_hd + '</h3><h4>' + op_detail + '</h4>');
$('input[name="op"]', form).val(op_type); $('input[name="op"]', form).val(op_type);
@@ -1728,7 +1729,7 @@ $('.file-update', context).click(function() {
var file_name = $(this).parents('.file-item').attr('data-name'); var file_name = $(this).parents('.file-item').attr('data-name');
var form = $('#update-file-form'); var form = $('#update-file-form');
var hd = $('#update-file-dialog .hd'); var hd = $('#update-file-dialog .hd');
hd.html(hd.html().replace('%(file_name)s', '<span class="op-target">' + file_name + '</span>')); hd.html(hd.html().replace('%(file_name)s', '<span class="op-target">' + HTMLescape(file_name) + '</span>'));
$('input[name="target_file"]', form).val(cur_path + file_name); $('input[name="target_file"]', form).val(cur_path + file_name);
@@ -1781,7 +1782,7 @@ $('.file-update', context).click(function() {
$('input[name="target_file"]', form).val(cur_path + file_name); $('input[name="target_file"]', form).val(cur_path + file_name);
var hd = $('#update-file-dialog .hd'); var hd = $('#update-file-dialog .hd');
hd.html(hd.html().replace('%(file_name)s', '<span class="op-target">' + file_name + '</span>')); hd.html(hd.html().replace('%(file_name)s', '<span class="op-target">' + HTMLescape(file_name) + '</span>'));
$.ajax({ $.ajax({
url: '{% url 'get_file_op_url' repo.id %}?op_type=' + e('update'), url: '{% url 'get_file_op_url' repo.id %}?op_type=' + e('update'),
@@ -1991,9 +1992,9 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
var name_link = $('.dirent-name a', op_obj); var name_link = $('.dirent-name a', op_obj);
if (name_link.length == 1) { if (name_link.length == 1) {
name_link.html(new_name).attr('href', name_link.attr('href').substr(0, name_link.attr('href').indexOf('?')) + '?p=' + e(path+new_name)); name_link.html(HTMLescape(new_name)).attr('href', name_link.attr('href').substr(0, name_link.attr('href').indexOf('?')) + '?p=' + e(path+new_name));
} else { } else {
$('.dirent-name', op_obj).html(new_name); // no link for files in client_crypto mode $('.dirent-name', op_obj).html(HTMLescape(new_name)); // no link for files in client_crypto mode
} }
$('.dirent-update', op_obj).html("{% trans "Just now" %}"); $('.dirent-update', op_obj).html("{% trans "Just now" %}");
var dld_link; var dld_link;
@@ -2020,7 +2021,7 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
} }
var msg = "{% trans "Successfully renamed %(old_name)s to %(new_name)s" %}"; var msg = "{% trans "Successfully renamed %(old_name)s to %(new_name)s" %}";
msg = msg.replace('%(old_name)s', old_name).replace('%(new_name)s', new_name); msg = msg.replace('%(old_name)s', HTMLescape(old_name)).replace('%(new_name)s', HTMLescape(new_name));
feedback(msg, 'success'); feedback(msg, 'success');
}; };
} else {// #mv-form } else {// #mv-form
@@ -2074,7 +2075,7 @@ $('#add-new-file-form, #add-new-dir-form, #rename-form, #mv-form').submit(functi
paddingTop: 50 paddingTop: 50
}, focus:false}); }, focus:false});
var det_text = op == 'mv' ? "{% trans "Moving %(name)s" %}": "{% trans "Copying %(name)s" %}"; var det_text = op == 'mv' ? "{% trans "Moving %(name)s" %}": "{% trans "Copying %(name)s" %}";
details.html(det_text.replace('%(name)s', trimFilename(obj_name, 20))).removeClass('vh'); details.html(det_text.replace('%(name)s', HTMLescape(trimFilename(obj_name, 20)))).removeClass('vh');
$('#mv-progress').progressbar(); $('#mv-progress').progressbar();
req_progress(); req_progress();
}, 100); }, 100);

2
seahub/templates/snippets/repo_dir_data.html
View File

@@ -5,7 +5,7 @@
{% if forloop.first or not forloop.last %} {% if forloop.first or not forloop.last %}
<a href="{{ SITE_ROOT }}repo/{{ repo.id }}/?p={{ link|urlencode }}" class="dir-link normal">{{ name }}</a> / <a href="{{ SITE_ROOT }}repo/{{ repo.id }}/?p={{ link|urlencode }}" class="dir-link normal">{{ name }}</a> /
{% else %} {% else %}
<span id="cur-dir-name">{{ name }}</span> / <span id="cur-dir-name" data-name="{{ name }}">{{ name }}</span> /
{% endif %} {% endif %}
{% endfor %} {% endfor %}
</p> </p>

4
seahub/templates/snippets/shared_link_js.html
View File

@@ -65,7 +65,7 @@ function showSharePopup(op, name, aj_urls, type, cur_path) {
form.modal({appendTo: "#main",'focus':false, containerCss:{"padding":0}}); form.modal({appendTo: "#main",'focus':false, containerCss:{"padding":0}});
var hd = $('#file-share .hd'); var hd = $('#file-share .hd');
hd.html(hd.html().replace('%(name)s', '<span class="op-target">' + trimFilename(name, 30) + '</span>')); hd.html(hd.html().replace('%(name)s', '<span class="op-target">' + HTMLescape(trimFilename(name, 30)) + '</span>'));
if (type == 'd') { if (type == 'd') {
$('#private-share-tab, #private-share').remove(); $('#private-share-tab, #private-share').remove();
@@ -141,7 +141,7 @@ function showSharePopup(op, name, aj_urls, type, cur_path) {
form.removeClass('hide').css({'width':'auto', 'padding-top':0}); form.removeClass('hide').css({'width':'auto', 'padding-top':0});
$("h3", form).remove(); $("h3", form).remove();
$('.checkbox-label', form).css({'margin-right':'3px'}); // make it not show on top of the scrollbar when hover $('.checkbox-label', form).css({'margin-right':'3px'}); // make it not show on top of the scrollbar when hover
form.data('dir-path', path).attr('data-name', name); form.data('dir-path', path);
$("#repo-share-tabs").tabs(); $("#repo-share-tabs").tabs();
$('#repo-share-tabs .ui-tabs-nav').css({'padding-left': '1.4em'}); $('#repo-share-tabs .ui-tabs-nav').css({'padding-left': '1.4em'});
}); });

7
seahub/templates/view_shared_upload_link.html
View File

@@ -97,7 +97,7 @@ var saving_tip = $('.saving-tip', form);
// Initialize the jQuery File Upload widget: // Initialize the jQuery File Upload widget:
form.fileupload({ form.fileupload({
formData: {'parent_dir': "{{path}}"}, formData: {'parent_dir': "{{path|escapejs}}"},
// customize it for 'done' // customize it for 'done'
getFilesFromResponse: function (data) { getFilesFromResponse: function (data) {
if (data.result) { if (data.result) {
@@ -175,10 +175,11 @@ form.fileupload({
} }
var uploaded_done_link = "{% url "upload_file_done" %}" + "?fn=" + e(file.name) + "&repo_id=" + e("{{repo.id}}"); var uploaded_done_link = "{% url "upload_file_done" %}" + "?fn=" + e(file.name) + "&repo_id=" + e("{{repo.id}}");
var path = "{{path|escapejs}}";
if (file_path) { if (file_path) {
uploaded_done_link += '&p=' + e("{{path}}" + file_path.substr(0, file_path.lastIndexOf('/') + 1)); uploaded_done_link += '&p=' + e(path + file_path.substr(0, file_path.lastIndexOf('/') + 1));
} else { } else {
uploaded_done_link += '&p=' + e("{{path}}"); uploaded_done_link += '&p=' + e(path);
} }
$.get(uploaded_done_link); $.get(uploaded_done_link);
} }

19
seahub/views/ajax.py
View File

@@ -9,6 +9,7 @@ from django.http import HttpResponse, Http404, HttpResponseBadRequest
from django.template import RequestContext from django.template import RequestContext
from django.template.loader import render_to_string from django.template.loader import render_to_string
from django.utils.http import urlquote from django.utils.http import urlquote
from django.utils.html import escape
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
import seaserv import seaserv
@@ -695,7 +696,7 @@ def mv_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
result['success'] = True result['success'] = True
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path) msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
msg = _(u'Successfully moved %(name)s <a href="%(url)s">view</a>') % \ msg = _(u'Successfully moved %(name)s <a href="%(url)s">view</a>') % \
{"name":obj_name, "url":msg_url} {"name":escape(obj_name), "url":msg_url}
result['msg'] = msg result['msg'] = msg
if res.background: if res.background:
result['task_id'] = res.task_id result['task_id'] = res.task_id
@@ -724,7 +725,7 @@ def cp_file(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
result['success'] = True result['success'] = True
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path) msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
msg = _(u'Successfully copied %(name)s <a href="%(url)s">view</a>') % \ msg = _(u'Successfully copied %(name)s <a href="%(url)s">view</a>') % \
{"name":obj_name, "url":msg_url} {"name":escape(obj_name), "url":msg_url}
result['msg'] = msg result['msg'] = msg
if res.background: if res.background:
@@ -741,7 +742,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
src_dir = os.path.join(src_path, obj_name) src_dir = os.path.join(src_path, obj_name)
if dst_path.startswith(src_dir + '/'): if dst_path.startswith(src_dir + '/'):
error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \ error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \
% {'src': src_dir, 'des': dst_path} % {'src': escape(src_dir), 'des': escape(dst_path)}
result['error'] = error_msg result['error'] = error_msg
return HttpResponse(json.dumps(result), status=400, content_type=content_type) return HttpResponse(json.dumps(result), status=400, content_type=content_type)
@@ -762,7 +763,7 @@ def mv_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
result['success'] = True result['success'] = True
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path) msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
msg = _(u'Successfully moved %(name)s <a href="%(url)s">view</a>') % \ msg = _(u'Successfully moved %(name)s <a href="%(url)s">view</a>') % \
{"name":obj_name, "url":msg_url} {"name":escape(obj_name), "url":msg_url}
result['msg'] = msg result['msg'] = msg
if res.background: if res.background:
result['task_id'] = res.task_id result['task_id'] = res.task_id
@@ -778,7 +779,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
src_dir = os.path.join(src_path, obj_name) src_dir = os.path.join(src_path, obj_name)
if dst_path.startswith(src_dir): if dst_path.startswith(src_dir):
error_msg = _(u'Can not copy directory %(src)s to its subdirectory %(des)s') \ error_msg = _(u'Can not copy directory %(src)s to its subdirectory %(des)s') \
% {'src': src_dir, 'des': dst_path} % {'src': escape(src_dir), 'des': escape(dst_path)}
result['error'] = error_msg result['error'] = error_msg
return HttpResponse(json.dumps(result), status=400, content_type=content_type) return HttpResponse(json.dumps(result), status=400, content_type=content_type)
@@ -799,7 +800,7 @@ def cp_dir(src_repo_id, src_path, dst_repo_id, dst_path, obj_name, username):
result['success'] = True result['success'] = True
msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path) msg_url = reverse('repo', args=[dst_repo_id]) + '?p=' + urlquote(dst_path)
msg = _(u'Successfully copied %(name)s <a href="%(url)s">view</a>') % \ msg = _(u'Successfully copied %(name)s <a href="%(url)s">view</a>') % \
{"name":obj_name, "url":msg_url} {"name":escape(obj_name), "url":msg_url}
result['msg'] = msg result['msg'] = msg
if res.background: if res.background:
result['task_id'] = res.task_id result['task_id'] = res.task_id
@@ -847,7 +848,7 @@ def dirents_copy_move_common(func):
# check file path # check file path
for obj_name in obj_file_names + obj_dir_names: for obj_name in obj_file_names + obj_dir_names:
if len(dst_path+obj_name) > settings.MAX_PATH: if len(dst_path+obj_name) > settings.MAX_PATH:
result['error'] = _('Destination path is too long for %s.') % obj_name result['error'] = _('Destination path is too long for %s.') % escape(obj_name)
return HttpResponse(json.dumps(result), status=400, return HttpResponse(json.dumps(result), status=400,
content_type=content_type) content_type=content_type)
@@ -875,7 +876,7 @@ def mv_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj
src_dir = os.path.join(src_path, obj_name) src_dir = os.path.join(src_path, obj_name)
if dst_path.startswith(src_dir + '/'): if dst_path.startswith(src_dir + '/'):
error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \ error_msg = _(u'Can not move directory %(src)s to its subdirectory %(des)s') \
% {'src': src_dir, 'des': dst_path} % {'src': escape(src_dir), 'des': escape(dst_path)}
result['error'] = error_msg result['error'] = error_msg
return HttpResponse(json.dumps(result), status=400, content_type=content_type) return HttpResponse(json.dumps(result), status=400, content_type=content_type)
@@ -911,7 +912,7 @@ def cp_dirents(src_repo_id, src_path, dst_repo_id, dst_path, obj_file_names, obj
src_dir = os.path.join(src_path, obj_name) src_dir = os.path.join(src_path, obj_name)
if dst_path.startswith(src_dir): if dst_path.startswith(src_dir):
error_msg = _(u'Can not copy directory %(src)s to its subdirectory %(des)s') \ error_msg = _(u'Can not copy directory %(src)s to its subdirectory %(des)s') \
% {'src': src_dir, 'des': dst_path} % {'src': escape(src_dir), 'des': escape(dst_path)}
result['error'] = error_msg result['error'] = error_msg
return HttpResponse(json.dumps(result), status=400, content_type=content_type) return HttpResponse(json.dumps(result), status=400, content_type=content_type)