From 68ca199ae3a59802ab45b190cb1104e366a87e4f Mon Sep 17 00:00:00 2001
From: rlx <0x0073@0x2620.org>
Date: Wed, 22 Feb 2012 10:14:25 +0000
Subject: [PATCH] properly escape user names and list names
---
source/Ox.UI/js/Calendar/Ox.ListCalendar.js | 3 +++
source/Ox.UI/js/Form/Ox.ArrayEditable.js | 6 +++---
source/Ox.UI/js/List/Ox.TextList.js | 3 ++-
source/Ox.UI/js/Map/Ox.ListMap.js | 3 +++
source/Ox.UI/js/Video/Ox.AnnotationFolder.js | 7 ++++++-
source/Ox.UI/js/Video/Ox.AnnotationPanel.js | 2 +-
6 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/source/Ox.UI/js/Calendar/Ox.ListCalendar.js b/source/Ox.UI/js/Calendar/Ox.ListCalendar.js
index 2a75d7bf..9f40893c 100644
--- a/source/Ox.UI/js/Calendar/Ox.ListCalendar.js
+++ b/source/Ox.UI/js/Calendar/Ox.ListCalendar.js
@@ -135,6 +135,9 @@ Ox.ListCalendar = function(options, self) {
width: 256
},
{
+ format: function(value) {
+ return Ox.encodeHTMLEntities(value);
+ },
id: 'user',
operator: '+',
title: 'User',
diff --git a/source/Ox.UI/js/Form/Ox.ArrayEditable.js b/source/Ox.UI/js/Form/Ox.ArrayEditable.js
index f44b8545..bc6369ea 100644
--- a/source/Ox.UI/js/Form/Ox.ArrayEditable.js
+++ b/source/Ox.UI/js/Form/Ox.ArrayEditable.js
@@ -21,7 +21,7 @@ Ox.ArrayEditable = function(options, self) {
separator: ',',
sort: [],
submitOnBlur: true,
- tooltip: '',
+ tooltipText: '',
type: 'input',
width: 256
})
@@ -121,8 +121,8 @@ Ox.ArrayEditable = function(options, self) {
submitOnBlur: self.options.submitOnBlur,
tooltip: (
self.options.tooltipText
- ? Ox.formatString(self.options.tooltipText, item) + '
'
- : ''
+ ? self.options.tooltipText(item) + '
'
+ : ''
) + 'Click to select' + (
item.editable
? ', doubleclick to edit'
diff --git a/source/Ox.UI/js/List/Ox.TextList.js b/source/Ox.UI/js/List/Ox.TextList.js
index 78dd0a67..f236e802 100644
--- a/source/Ox.UI/js/List/Ox.TextList.js
+++ b/source/Ox.UI/js/List/Ox.TextList.js
@@ -19,6 +19,7 @@ Ox.TextList TextList Object
operator default sort operator
title ...
titleImage ...
+ unformat Applied before editing
unique If true, this column acts as unique id
visible ...
width ...
@@ -840,7 +841,7 @@ Ox.TextList = function(options, self) {
$input = Ox.Input({
autovalidate: column.input ? column.input.autovalidate : null,
style: 'square',
- value: html,
+ value: column.unformat ? column.unformat(html) : html,
width: width
})
.bind({
diff --git a/source/Ox.UI/js/Map/Ox.ListMap.js b/source/Ox.UI/js/Map/Ox.ListMap.js
index a50aef59..55acd2a3 100644
--- a/source/Ox.UI/js/Map/Ox.ListMap.js
+++ b/source/Ox.UI/js/Map/Ox.ListMap.js
@@ -240,6 +240,9 @@ Ox.ListMap = function(options, self) {
width: 128
},
{
+ format: function(value) {
+ return Ox.encodeHTMLEntities(value);
+ },
id: 'user',
operator: '+',
title: 'User',
diff --git a/source/Ox.UI/js/Video/Ox.AnnotationFolder.js b/source/Ox.UI/js/Video/Ox.AnnotationFolder.js
index 9c7faa65..cb5fc9e3 100644
--- a/source/Ox.UI/js/Video/Ox.AnnotationFolder.js
+++ b/source/Ox.UI/js/Video/Ox.AnnotationFolder.js
@@ -206,7 +206,12 @@ Ox.AnnotationFolder = function(options, self) {
separator: ';',
sort: self.sort,
submitOnBlur: false,
- tooltipText: self.options.showInfo ? '{user}, {date}' : '',
+ tooltipText: self.options.showInfo ? function(item) {
+ return Ox.formatString('{user} {date}', {
+ user: Ox.encodeHTMLEntities(item.user),
+ date: item.date
+ });
+ } : '',
width: self.options.width,
maxHeight: self.options.type == 'text' ? Infinity : void 0,
type: self.options.type == 'text' ? 'textarea' : 'input'
diff --git a/source/Ox.UI/js/Video/Ox.AnnotationPanel.js b/source/Ox.UI/js/Video/Ox.AnnotationPanel.js
index 7166b9a4..7b6fe61d 100644
--- a/source/Ox.UI/js/Video/Ox.AnnotationPanel.js
+++ b/source/Ox.UI/js/Video/Ox.AnnotationPanel.js
@@ -340,7 +340,7 @@ Ox.AnnotationPanel = function(options, self) {
{},
{id: 'users', title: 'Show Users', disabled: true},
{group: 'users', min: 1, max: -1, items: self.users.map(function(user) {
- return {id: user, title: user, checked:
+ return {id: user, title: Ox.encodeHTMLEntities(user), checked:
self.enabledUsers == 'all' || self.enabledUsers.indexOf(user) > -1
};
})}