Escape repo name and group name in messages

seahub/share/views.py

@@ -105,7 +105,7 @@ def share_to_group(request, repo, group, permission):
         group_repo_ids = seafile_api.get_group_repoids(group.id)
     if repo.id in group_repo_ids:
         msg = _(u'"%(repo)s" is already in group %(group)s. <a href="%(href)s">View</a>') % {
-            'repo': repo.name, 'group': group.group_name,
+            'repo': escape(repo.name), 'group': escape(group.group_name),
             'href': reverse('group_info', args=[group.id])}
         messages.error(request, msg, extra_tags='safe')
         return
@@ -125,7 +125,7 @@ def share_to_group(request, repo, group, permission):
         messages.error(request, msg)
     else:
         msg = _(u'Shared to %(group)s successfully, go check it at <a href="%(share)s">Shares</a>.') % \
-            {'group': group_name, 'share': reverse('share_admin')}
+            {'group': escape(group_name), 'share': reverse('share_admin')}
         messages.success(request, msg, extra_tags='safe')
 
 def share_to_user(request, repo, to_user, permission):
@@ -257,7 +257,10 @@ def share_repo(request):
 
     if not check_user_share_quota(username, repo, users=share_to_users,
                                   groups=share_to_groups):
-        messages.error(request, _('Failed to share "%s", no enough quota. <a href="http://seafile.com/">Upgrade account.</a>') % repo.name, extra_tags='safe')
+        messages.error(request, _(
+            'Failed to share "%s", no enough quota. '
+            '<a href="http://seafile.com/">Upgrade account.</a>'
+        ) % escape(repo.name), extra_tags='safe')
         return HttpResponseRedirect(next)
 
     for group in share_to_groups:

seahub/views/__init__.py

@@ -16,9 +16,10 @@ from django.http import HttpResponse, HttpResponseBadRequest, Http404, \
     HttpResponseRedirect
 from django.shortcuts import render_to_response, redirect
 from django.template import RequestContext
-from django.utils.translation import ugettext as _
 from django.utils import timezone
 from django.utils.http import urlquote
+from django.utils.html import escape
+from django.utils.translation import ugettext as _
 from django.views.decorators.http import condition
 
 import seaserv
@@ -1354,7 +1355,7 @@ def render_file_revisions (request, repo_id):
         }, context_instance=RequestContext(request))
 
 @login_required
-def repo_revert_file (request, repo_id):
+def repo_revert_file(request, repo_id):
     repo = get_repo(repo_id)
     if not repo:
         raise Http404
@@ -1371,10 +1372,13 @@ def repo_revert_file (request, repo_id):
         return render_error(request, _(u"Invalid arguments"))
 
     try:
-        ret = seafserv_threaded_rpc.revert_file (repo_id, commit_id,
-                            path.encode('utf-8'), request.user.username)
-    except Exception, e:
-        return render_error(request, str(e))
+        ret = seafile_api.revert_file(repo_id, commit_id, path, request.user.username)
+    except Exception as e:
+        logger.error(e)
+        messages.error(request, _('Failed to restore, please try again later.'))
+        referer = request.META.get('HTTP_REFERER', None)
+        next = settings.SITE_ROOT if referer is None else referer
+        return HttpResponseRedirect(next)
     else:
         if from_page == 'repo_history':
             # When revert file from repo history, we redirect to repo history
@@ -1389,16 +1393,16 @@ def repo_revert_file (request, repo_id):
 
         if ret == 1:
             root_url = reverse('repo', args=[repo_id]) + u'?p=/'
-            msg = _(u'Successfully revert %(path)s to <a href="%(root)s">root directory.</a>') % {"path":path.lstrip('/'), "root":root_url}
-            messages.add_message(request, messages.INFO, msg, extra_tags='safe')
+            msg = _(u'Successfully revert %(path)s to <a href="%(root)s">root directory.</a>') % {"path": escape(path.lstrip('/')), "root": root_url}
+            messages.success(request, msg, extra_tags='safe')
         else:
             file_view_url = reverse('repo_view_file', args=[repo_id]) + u'?p=' + urllib2.quote(path.encode('utf-8'))
-            msg = _(u'Successfully revert <a href="%(url)s">%(path)s</a>') % {"url":file_view_url, "path":path.lstrip('/')}
-            messages.add_message(request, messages.INFO, msg, extra_tags='safe')
+            msg = _(u'Successfully revert <a href="%(url)s">%(path)s</a>') % {"url": file_view_url, "path": escape(path.lstrip('/'))}
+            messages.success(request, msg, extra_tags='safe')
         return HttpResponseRedirect(url)
 
 @login_required
-def repo_revert_dir (request, repo_id):
+def repo_revert_dir(request, repo_id):
     repo = get_repo(repo_id)
     if not repo:
         raise Http404
@@ -1415,10 +1419,13 @@ def repo_revert_dir (request, repo_id):
         return render_error(request, _(u"Invalid arguments"))
 
     try:
-        ret = seafserv_threaded_rpc.revert_dir (repo_id, commit_id,
-                            path.encode('utf-8'), request.user.username)
-    except Exception, e:
-        return render_error(request, str(e))
+        ret = seafile_api.revert_dir(repo_id, commit_id, path, request.user.username)
+    except Exception as e:
+        logger.error(e)
+        messages.error(request, _('Failed to restore, please try again later.'))
+        referer = request.META.get('HTTP_REFERER', None)
+        next = settings.SITE_ROOT if referer is None else referer
+        return HttpResponseRedirect(next)
     else:
         if from_page == 'repo_history':
             # When revert file from repo history, we redirect to repo history
@@ -1433,12 +1440,12 @@ def repo_revert_dir (request, repo_id):
 
         if ret == 1:
             root_url = reverse('repo', args=[repo_id]) + u'?p=/'
-            msg = _(u'Successfully revert %(path)s to <a href="%(url)s">root directory.</a>') % {"path":path.lstrip('/'), "url":root_url}
-            messages.add_message(request, messages.INFO, msg, extra_tags='safe')
+            msg = _(u'Successfully revert %(path)s to <a href="%(url)s">root directory.</a>') % {"path": escape(path.lstrip('/')), "url": root_url}
+            messages.success(request, msg, extra_tags='safe')
         else:
             dir_view_url = reverse('repo', args=[repo_id]) + u'?p=' + urllib2.quote(path.encode('utf-8'))
-            msg = _(u'Successfully revert <a href="%(url)s">%(path)s</a>') % {"url":dir_view_url, "path":path.lstrip('/')}
-            messages.add_message(request, messages.INFO, msg, extra_tags='safe')
+            msg = _(u'Successfully revert <a href="%(url)s">%(path)s</a>') % {"url": dir_view_url, "path": escape(path.lstrip('/'))}
+            messages.success(request, msg, extra_tags='safe')
         return HttpResponseRedirect(url)
 
 @login_required